Re: [Catalyst] Catalyst and Shibboleth authentication
Mike Whitaker wrote: On 14 Mar 2008, at 19:00, Kirby Krueger wrote: Greetings, I'm writing a new web application, and have decided to jump into Catalyst (because I am smart.) One thing that Catalyst seems to do well is have a good mechanism for plugging in standard approaches to things. Here at the University of Washington, we use a project called 'Shibboleth' for authentication: http://shibboleth.internet2.edu/ I dunno exactly what Shibboleth does, but if the notes on dealing with external single sign on (http://catwiki.toeat.com/gettingstarted/tutorialsandhowtos/sso_authentication) are any help, steal away :) (JayK did sanity check them for me, and He Should Know :) ) Well, The Whole Thing seems reasonable; however, maybe you'll provide me with some idea on more complex setup? I want to AUTHENTICATE users via some external SSO, but KEEP users once they've been authenticated into database. I have (still) no good idea on interaction of Realm, Password and Store... Alex. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst and Shibboleth authentication
On Mar 15, 2008, at 10:22 AM, Alex Povolotsky wrote: Mike Whitaker wrote: On 14 Mar 2008, at 19:00, Kirby Krueger wrote: Greetings, I'm writing a new web application, and have decided to jump into Catalyst (because I am smart.) One thing that Catalyst seems to do well is have a good mechanism for plugging in standard approaches to things. Here at the University of Washington, we use a project called 'Shibboleth' for authentication: http://shibboleth.internet2.edu/ I dunno exactly what Shibboleth does, but if the notes on dealing with external single sign on (http://catwiki.toeat.com/ gettingstarted/tutorialsandhowtos/sso_authentication) are any help, steal away :) (JayK did sanity check them for me, and He Should Know :) ) Well, The Whole Thing seems reasonable; however, maybe you'll provide me with some idea on more complex setup? I want to AUTHENTICATE users via some external SSO, but KEEP users once they've been authenticated into database. I have (still) no good idea on interaction of Realm, Password and Store... This might be a way to approach it: http://openid.net/specs/openid- simple-registration-extension-1_1-01.html Use OpenID to authenticate and the simple registration protocol to save their info in your own DB (in this case there would be no local password saved, the realm would always be the OpenID path and I'm not sure how you'd connect that with your local store. OpenID accounts are free at several sites so it's not a high barrier to entry. There is a family of CPAN modules by Brad Fitzpatrick and I think one or two OpenID plugins for Cat. The protocol is pretty simple but hacking on it can be very confusing and can make certain setups tricky (I chased a bug for 10 hours doing the stuff b/c I stupidly had the id server address set to / when the real resource was /index.pl). -Ashley ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst and Shibboleth authentication
Mike Whitaker wrote: I dunno exactly what Shibboleth does, but if the notes on dealing with external single sign on (http://catwiki.toeat.com/gettingstarted/tutorialsandhowtos/sso_authentication) are any help, steal away :) (JayK did sanity check them for me, and He Should Know :) ) That page is slightly incorrect. In C::A::Store::Null -based class, apparently $storeclass-can('find_user') returns 0 (called from C::A::Authentication::Realm.pm line 85) so Realm tries to construct find_user by itself, without success. I'm still trying to figure the whole things out. Alex. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst and Shibboleth authentication
Ashley wrote: Well, The Whole Thing seems reasonable; however, maybe you'll provide me with some idea on more complex setup? I want to AUTHENTICATE users via some external SSO, but KEEP users once they've been authenticated into database. I have (still) no good idea on interaction of Realm, Password and Store... This might be a way to approach it: http://openid.net/specs/openid-simple-registration-extension-1_1-01.html Use OpenID to authenticate and the simple registration protocol to save their info in your own DB (in this case there would be no local password saved, the realm would always be the OpenID path and I'm not sure how you'd connect that with your local store. OpenID accounts are free at several sites so it's not a high barrier to entry. There is a family of CPAN modules by Brad Fitzpatrick and I think one or two OpenID plugins for Cat. The protocol is pretty simple but hacking on it can be very confusing and can make certain setups tricky (I chased a bug for 10 hours doing the stuff b/c I stupidly had the id server address set to / when the real resource was /index.pl). OpenID for authentication with role-based authorization seems to be a reasonable thing, isn't it? For now, I've made an EXTREMLY simple SSO, just to prove the concept. Once I'll get Catalyst modules to work (with SSO-based authentication and role-based authorization) I'll look at OpenID. Alex ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst and Shibboleth authentication
Mike Whitaker wrote: On 14 Mar 2008, at 19:00, Kirby Krueger wrote: Greetings, I'm writing a new web application, and have decided to jump into Catalyst (because I am smart.) One thing that Catalyst seems to do well is have a good mechanism for plugging in standard approaches to things. Here at the University of Washington, we use a project called 'Shibboleth' for authentication: http://shibboleth.internet2.edu/ I dunno exactly what Shibboleth does, but if the notes on dealing with external single sign on (http://catwiki.toeat.com/gettingstarted/tutorialsandhowtos/sso_authentication) are any help, steal away :) (JayK did sanity check them for me, and He Should Know :) ) I've made it, I've made it twice different ways. I wonder why wiki suggests to override storage; overriding credentials should be much more reasonable. Alex. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Catalyst and Shibboleth authentication
Greetings, I'm writing a new web application, and have decided to jump into Catalyst (because I am smart.) One thing that Catalyst seems to do well is have a good mechanism for plugging in standard approaches to things. Here at the University of Washington, we use a project called 'Shibboleth' for authentication: http://shibboleth.internet2.edu/ Has anyone worked with this in conjunction with Catalyst yet? I didn't see anything in Authentication::Credential::* yet, and it seems like that would be where it would go. If not, I suppose I'll have to write it, and this seems like an obvious candidate to give back. (One plus of working for a University, they really don't mind the whole Open Source thing!) Any tips beyond 'read a few other Authentication::Credential modules and stick to the same standards' would be appreciated. (But I'm still hoping someone else already has done it and just didn't think anyone else would care.) Thanks in advance, Kirby ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/