shibboleth-dev - SPNEGO experiences
Subject: Shibboleth Developers
List archive
- From: caleb racey <>
- To: "''" <>
- Subject: SPNEGO experiences
- Date: Wed, 3 Jun 2009 16:07:25 +0100
- Accept-language: en-GB
- Acceptlanguage: en-GB
Hi have seen that SPNEGO is tabled to be discussed on next DEV call so
thought we would share our experiences as I think they might be relevant.
We have some experience getting SPNEGO to work with shib in a "usable"
manner. We are using CAS's SPNEGO support to provide login to a shib2 IDP. We
would much rather use a login handler so we can support the shib2 flows
(isPassive is particularly desirable) and reduce the complexity of our login
stack.
Our username password store is Active Directory so we rely on it's Kerberos
support. In order for SPNEGO authentication to work, the client needs to be
using a browser which supports SPNEGO. Internet Explorer is the only browser
that supports and is configured to allow SPNEGO "out of the box" - Firefox
etc have to be configured to trust the server that is asking for the
credentials. (about:config then network.negotiate-auth.trusted-uris if i
remember correctly)
IE + SPNEGO works well on user browsers on PCs joined to the campus Active
Directory domain.
However problems arise when Internet Explorer is used from a machine not
joined to the domain e.g. access from home computers, personal laptops etc.
In these cases IE does not automatically trust the login server and has poor
failover behaviour, instead of failing over to other login techniques like
web forms it pops up the grey basic authentication box. This in unacceptable
because the browser still displays the SPs address in the address bar, the
user therefore can't see whether the SP has genuinely redirected them to the
right IDP or if they are being spoofed. Firefox fails over nicely to present
the user with the nice web form but we need to support IE.
To get true SSO +shib to work properly, logic needs to be used before
deciding which login-technique to present to the user. SPNEGO if they have
Internet Explorer/are in a trusted domain i.e. "on campus", or else
form-login if they don't meet these requirements. This logic enables fail
over to proper web form login and not the spoofable basic auth grey box
authentication.
In order to achieve this using CAS we now have 2 IDPs one which ha CAS
configured to provide SPNEGO login support to the set of internal apps that
require it, and another IDP with CAS and no spengo configured which handles
all other logins. On the SPs we use lazy sessions and application code to
detect whether the user is on campus and using IE, then they get directed to
the SPNEGO IDP if not they get the normal web form based one.
This is admittedly a hacky inelegant solution to the problem, but it works.
If a SPNEGO login handler is to be made it will likely need to incorporate
logic that allows it to detect user agent strings ip-addresses etc and
failover login to alternative methods.
Additionally as part of a JISC project we did a short scoping study on how
easy it would be port CAS's SPENGO support to a shib SPNEGO handler, see
http://gfivo.ncl.ac.uk/documents/Shib_SPNEGO.pdf (Summary looks easy
enough, licensing looks compatible, requires levels of java and spring
knowledge which we don't have)
Apologies for the length of this email, i have tried to keep it short but
the complexity of actually using SPNEGO is the enemy of brevity.
Regards
Cal
Caleb Racey
Team Leader
Middleware Team
ISS
Newcastle University
U.K.
- SPNEGO experiences, caleb racey, 06/03/2009
Archive powered by MHonArc 2.6.16.