On Tue, Sep 20, 2016 at 8:39 PM, FredB <fredbmail@xxxxxxx> wrote:
I'm searching a way to use a secure SSO with Squid, how did you implement the authenticate method with an implicit proxy ?
I'm reading many documentations about SAML, but I found nothing about Squid
I guess we can only do something with cookies ?
Hi Fred
Proxies only support "HTTP authentication" methods: Basic, Digest, NTLM ,etc. So you either have to use one of those, or perhaps "fake" the creation of one of those...?
eg you mentioned SAML, but gave no context beyond saying you didn't want AD. So let's say SAML is a requirement. Well that's directly impossible as it isn't an "HTTP authentication" method, but you could hit it from the sides...
How about putting a SAML SP on your squid server, and it generates fresh random Digest authentication creds for any authenticated user (ie same username, but 30char random password), and tells them to cut-n-paste them into their web browser proxy prompt and "save" them. That way the proxy is using Digest and it involved a one-off SAML interaction. I say Digest instead of Basic because Digest is more secure over cleartext - but it's also noticeably slower than Basic over latency links, so you can choose your poison there
If you're really keen, you can actually do proxy-over-TLS via WPAD with Firefox/Chrome - at which point I'd definitely recommend Basic for the performance reasons ;-)
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
