Shibboleth Developers

["Wilcox, Mark" <>]

Title: OS X info, webDAV use case

Yup, Apache mod_dav can use any of the Apache auth/authz modules, the issue is clients.

 

DAV is perhaps one of the most trickiest use case to solve because we have so little control over how the client will function & clients are all over the map. At least with SOAP, it's reasonable to expect that client apps will be custom written so that if we send back a SOAP header for redirect, a programmer can handle it.

 

And I'm intimately familiar with the case because we've had WebDAV and SSO capability for so long & this problem occurs with any browser based SSO system & DAV.

 

Unfortunately, there only reliable auth mechanism due to client issues is to use some form of BASIC auth because none of the clients I know of can handle HTTP redirects or guranteed access to a browser cookie cache. So most (WebCT) customers end up using something like LDAP to verify passwords (in particular if LDAP is the backing auth store for the campus SSO system) so that users don't have to remember multiple username/passwords.

 

A potential case I've thought of is that servers running Web DAV and wanted to participate in Shib would have a 2 step process. *Note this is ugly solution and may prove to be unworkable, but I'll put it out there* -- that is before setting up your DAV connection you go to a Web site that reads a shib token & authorizes you for DAV access. It prints out on the screen a username/password (for example a MD5 hash) to pass to your DAV connection as part of Basic Auth. DAV server then has a authentication adapter that validates the password.*

 

And here's what I would list as the most common DAV client use cases:

1 -- MS Web Folders -- DAV (and FrontPage) client standard on all Windows systems Win98 and higher.

 

2 -- Dreamweaver -- has had DAV support for 3 years. A major limitation in Dreamweaver is that it doesn't do SSL.

 

3 -- OS X DAV client -- similar to Web Folders concept

 

4 -- WebDrive -- this is a minority, but is still fairly popular. It essentially extends Web Folders concept so that it matches more closely to what OS X does -- you can map a drive letter to a DAV folder. Web Folders don't map drive letters, so unless you're using Office 2000 or higher applications, you have to use Windows Explorer to drag & drop 

 

A final note -- I wonder if for DAV we should focus more on using Shib for authorization and not authentication. That is if I know it's and unt.edu is in my federation can I call the unt.edu origin server to see data about mewilcox?

 

Mark

 

-----Original Message-----
From: [mailto:]
Sent: Wed 9/24/2003 9:32 AM
To:
Cc:
Subject: OS X info, webDAV use case

webdav was one one of the use cases discussed during this past
monday's conf call. Altho, strictly speaking, it may not sound like a
"non-browser, non-web application" (since it runs over http), the
clients are often something other than a web browser.

During the call, it was noted that the apache plugin mod_dav works
with shibboleth.

The next problem was finding a client that could provide the
appropriate SAML assertions....

Here's some info about the WEBDAV support built into OS X....

this functionality is available via the Mac FINDER. However, based
on this note from Apple, it appears that the core functionality may
be built into Darwin, the open source system that OS X is built
on...... check out the man page for mount_webdav

so.... what  would a use case for this look like?

>From: Daryl Hawes <>
>Date: Tue Sep 23, 2003  6:50:29 PM US/Eastern
>To: jaym <>
>Subject: Re: WebDAV code - in Finder or in Darwin ?
>
>Jay,
>   
>http://developer.apple.com/documentation/Darwin/Reference/ManPages/html/mount_webdav.8.html
>    Darwin man pages available for the mount_webdav open source
>command line tool which shows that darwin has the webdav mount
>capabilities.
>    They can browse the Darwin code at
>http://www.opensource.apple.com/darwinsource/index.html
>    More specifically, the WebDAV file system section:
>http://www.opensource.apple.com/darwinsource/10.2.8/webdavfs-115/
>
>Daryl Hawes
>
>

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--