RE: Single Sign On (implemented in CF)
>> def worth reading (they were for me) if Jochem doesn't mind me posting them. The content of emails were worth reading for me I mean :-) -- dc [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Single Sign On (implemented in CF)
Got some intereting off-list emails from Jochem that are def worth reading (they were for me) if Jochem doesn't mind me posting them. -- dc [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Single Sign On (implemented in CF)
Thank you, Dave. I'll give them all a try and see which is the easiest to pick up. I appreciate the pointer. Matthew P. Smith Web Developer, Object Oriented Naval Education & Training Professional Development & Technology Center (NETPDTC) (850)452-1001 ext. 1245 [EMAIL PROTECTED] -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Friday, December 12, 2003 10:35 AM To: CF-Talk Subject: RE: Single Sign On (implemented in CF) > > Just use the system with a recording proxy and see for > > yourself. > > Could you recommend one? I'd like to delve a little deeper > with the stuff we are using here. Jochem recommended a Mozilla extension, which is good, but if you want something browser-independent and you're using Windows, you might try Stretch: http://www.kestral.com.au/devtools/stretch/ > Also, could you(or anyone else) recommend a good http > sniffer? I'm not sure if they are the same thing, but I > would like to start playing with stuff like that. An HTTP sniffer (or a general network sniffer) can be used instead of a recording proxy. I like EffeTech HTTP Sniffer (http://www.effetech.com/), but it's a bit overpriced at $40 or so. You might just use something free like Ethereal (http://www.ethereal.com/) , which is a general-purpose network sniffer. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Single Sign On (implemented in CF)
I am currently using Mozilla for my default browser and am interested to see how these extension fit in with it. I'll give it a try. Thank you, Jochem. Matthew P. Smith Web Developer, Object Oriented Naval Education & Training Professional Development & Technology Center (NETPDTC) (850)452-1001 ext. 1245 [EMAIL PROTECTED] -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Friday, December 12, 2003 9:35 AM To: CF-Talk Subject: Re: Single Sign On (implemented in CF) Smith, Matthew P -CONT(CSC) wrote: > >> Just use the system with a recording proxy and see for yourself. > > Could you recommend one? I'd like to delve a little deeper with the stuff we are using here. > > Also, could you(or anyone else) recommend a good http sniffer? I'm not sure if they are the same thing, but I would like to start playing with stuff like that. They serve the same purpose. I currently use Mozilla FireBird with the LiveHTTPHeaders extension: http://www.mozilla.org/ http://livehttpheaders.mozdev.org/ Jochem -- When you don't want to be surprised by the revolution organize one yourself - Loesje _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Single Sign On (implemented in CF)
> > Just use the system with a recording proxy and see for > > yourself. > > Could you recommend one? I'd like to delve a little deeper > with the stuff we are using here. Jochem recommended a Mozilla extension, which is good, but if you want something browser-independent and you're using Windows, you might try Stretch: http://www.kestral.com.au/devtools/stretch/ > Also, could you(or anyone else) recommend a good http > sniffer? I'm not sure if they are the same thing, but I > would like to start playing with stuff like that. An HTTP sniffer (or a general network sniffer) can be used instead of a recording proxy. I like EffeTech HTTP Sniffer (http://www.effetech.com/), but it's a bit overpriced at $40 or so. You might just use something free like Ethereal (http://www.ethereal.com/) , which is a general-purpose network sniffer. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Single Sign On (implemented in CF)
Smith, Matthew P -CONT(CSC) wrote: > >> Just use the system with a recording proxy and see for yourself. > > Could you recommend one? I'd like to delve a little deeper with the stuff we are using here. > > Also, could you(or anyone else) recommend a good http sniffer? I'm not sure if they are the same thing, but I would like to start playing with stuff like that. They serve the same purpose. I currently use Mozilla FireBird with the LiveHTTPHeaders extension: http://www.mozilla.org/ http://livehttpheaders.mozdev.org/ Jochem -- When you don't want to be surprised by the revolution organize one yourself - Loesje [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Single Sign On (implemented in CF)
Jochem, > Just use the system with a recording proxy and see for yourself. Could you recommend one? I'd like to delve a little deeper with the stuff we are using here. Also, could you(or anyone else) recommend a good http sniffer? I'm not sure if they are the same thing, but I would like to start playing with stuff like that. Thanks, Matthew P. Smith Web Developer, Object Oriented Naval Education & Training Professional Development & Technology Center (NETPDTC) (850)452-1001 ext. 1245 [EMAIL PROTECTED] -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 11:16 AM To: CF-Talk Subject: Re: Single Sign On (implemented in CF) [EMAIL PROTECTED] wrote: >> >> Looking at Oracles Single Sign On Server (SSO Server) >> >> Seems to be saying that it can log into *any* external web app (given >> that it knows the username and password and it is an HTML form) and >> then remember the user upon return to the portal application as well >> as logging out of the external web app >> >> An explanation of implementing a PHP interface to the Oracle SSO >> server can be found here >> >> http://otn.oracle.com/oramag/webcolumns/2003/techarticles/bennett_php.html >> >> >> It seems to me it is either the SSO Server that is doing the logging >> in or the SSO server forces the client to do a transparent login over >> HTTP... anybody know which one? It looks like the visitor is redirected to the SSO server, which does authentication and then redirects the user back, probably with some identification URL variable. Just use the system with a recording proxy and see for yourself. >> If the SSO Server is forcing the client to login... how do they do it >> transparently? And securely? Ask Oracle. You might want to take a look at http://a-select.surfnet.nl/ which offers similar features and is available for free for non-profit organizations (it was developed for the Dutch national research and education network). They have a very extensive explanation of the authentication flow, and SSO undoubtedly uses something similar: http://a-select.surfnet.nl/functional_flows.html Jochem -- When you don't want to be surprised by the revolution organize one yourself - Loesje _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Single Sign On (implemented in CF)
Yes, and there is also Netigrity. http://www.netegrity.com/ I believe(don't quote me on this) that oblix had better certification for government security requirements. It does not necessarily mean that Netegrity is less secure, they just haven't done the required paperwork as of yet. I do not know if that is an issue for you guys. Matthew P. Smith Web Developer, Object Oriented Naval Education & Training Professional Development & Technology Center (NETPDTC) (850)452-1001 ext. 1245 [EMAIL PROTECTED] -Original Message- From: Andrew Spear [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 12:28 PM To: CF-Talk Subject: Re:Single Sign On (implemented in CF) You may want to take a look at Oblix. I know it works with CF and just about any webserver... http://www.oblix.com/index.html _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Single Sign On (implemented in CF)
I've been doing the CF and IIS portions of Oracle SSO implementation here. I have a meeting but I'll look over this and offer any help I can when I get a chance. Matthew P. Smith Web Developer, Object Oriented Naval Education & Training Professional Development & Technology Center (NETPDTC) (850)452-1001 ext. 1245 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 12:20 PM To: CF-Talk Subject: RE: Single Sign On (implemented in CF) Explained well enough for even me to understand :-) Superb I'll digest the info and put it to those above tomorrow as an option >> I would be interested in anything more detailed you can dig up on SSO. No probs, will let you know what we find out and any URLs/Docs that we find that are useful. -- -dc [ cf5, ora8.1.7, iis5 ] _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Single Sign On (implemented in CF)
Explained well enough for even me to understand :-) Superb I'll digest the info and put it to those above tomorrow as an option >> I would be interested in anything more detailed you can dig up on SSO. No probs, will let you know what we find out and any URLs/Docs that we find that are useful. -- -dc [ cf5, ora8.1.7, iis5 ] [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Single Sign On (implemented in CF)
[EMAIL PROTECTED] wrote: > >> You might want to take a look at http://a-select.surfnet.nl/ > > Thank you... currently digesting now > > As far as I can see at the moment, all apps need to use A-Select API > though... No, the webserver needs to have the A-Select API. It is just an ISAPI filter for IIS or a module for Apache that gets loaded into the webserver. For the application it pretty much means "the A-Select user identifying cookie is present and can be trusted". > The Oracle version seems to promise that they can do it with any web app > with a HTML form... That is not too difficult, but some might consider it a security risks to have people submit their username and password to a participating site. It would definitely not qualify for a TTP implementation, since the web application would 'know' the username and password of the user, which means that you would have to trust all web applications. > I just cannot see the mechanism for this at all... [ see caveat about my > understanding of the Oracle definition of an 'External App' above ] With A-Select, it is pretty much: - user enters website - websites sees no authentication cookie and no authentication URL var - websites redirects to authentication server * authentication server sees no authorization cookie * user logs in * authentication server sets authorization cookie - authentication server redirects to website - website sees authentication URL var and asks a webservice on the authentication server to verify that authentication var - user is logged in If the user returns or visits another website that allows this type of login, the steps marked with * do not have to be repeated because there is an authorization cookie, so the process is automatic for the user. He just gets redirected a few times. The key part that is missing in your description is that the web application also communicates directly with the authentication server to verify the credentials the user presents. I would be interested in anything more detailed you can dig up on SSO. Jochem -- When you don't want to be surprised by the revolution organize one yourself - Loesje [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Single Sign On (implemented in CF)
Again thanks for your insights Jochem, much appreciated :-) >> It looks like the visitor is redirected to the SSO server, >> which does authentication and then redirects the user >> back, probably with some identification URL variable. Would this not mean that it was the SSO server that was authenticated to use the external website and not the client? Am I getting mixed up in the Oracle definition of an External App, i.e. that an external app is one that you have actually partnered with and you know there authentication mechanism? >> Just use the system with a recording proxy and see for >> yourself. Only seen a presentation... have asked for access to a demo but they are being a bit slow about it Will be first thing to do on the list when we get access. If the SSO Server is forcing the client to login... how do they do it transparently? And securely? > Ask Oracle. Oooh, we have searched the Oracle site for documentation on this and are having trouble finding anything solid on it. Oracle seem to be a bit cagey about this (having to ask questions about this through someone else so it is a bit on the slow side) >>>You might want to take a look at http://a-select.surfnet.nl/ Thank you... currently digesting now As far as I can see at the moment, all apps need to use A-Select API though... The Oracle version seems to promise that they can do it with any web app with a HTML form... I just cannot see the mechanism for this at all... [ see caveat about my understanding of the Oracle definition of an 'External App' above ] >From my understanding of it at the moment, If I had to code for it right now, to allow a user this functionality: - User enters portal - User enters external app username, password and form location into local admin interface at some other time - Clicks on external app link - Portal makes up a form with the username and password - _javascript_ submits the form to the external application log on mechanism - Client is authenticated onto external application Which seems a complete abomination (crap in other words). Need to do a lot more digging about this methinks :-\ -- -dc [ cf5, ora8.1.7, iis5 ] [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Single Sign On (implemented in CF)
[EMAIL PROTECTED] wrote: >> >> Looking at Oracles Single Sign On Server (SSO Server) >> >> Seems to be saying that it can log into *any* external web app (given >> that it knows the username and password and it is an HTML form) and >> then remember the user upon return to the portal application as well >> as logging out of the external web app >> >> An explanation of implementing a PHP interface to the Oracle SSO >> server can be found here >> >> http://otn.oracle.com/oramag/webcolumns/2003/techarticles/bennett_php.html >> >> >> It seems to me it is either the SSO Server that is doing the logging >> in or the SSO server forces the client to do a transparent login over >> HTTP... anybody know which one? It looks like the visitor is redirected to the SSO server, which does authentication and then redirects the user back, probably with some identification URL variable. Just use the system with a recording proxy and see for yourself. >> If the SSO Server is forcing the client to login... how do they do it >> transparently? And securely? Ask Oracle. You might want to take a look at http://a-select.surfnet.nl/ which offers similar features and is available for free for non-profit organizations (it was developed for the Dutch national research and education network). They have a very extensive explanation of the authentication flow, and SSO undoubtedly uses something similar: http://a-select.surfnet.nl/functional_flows.html Jochem -- When you don't want to be surprised by the revolution organize one yourself - Loesje [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Single Sign On (implemented in CF)
> Hi there, > > Looking at Oracles Single Sign On Server (SSO Server) > > Seems to be saying that it can log into *any* external web app (given > that it knows the username and password and it is an HTML form) and > then remember the user upon return to the portal application as well > as logging out of the external web app > > An explanation of implementing a PHP interface to the Oracle SSO > server can be found here > > http://otn.oracle.com/oramag/webcolumns/2003/techarticles/bennett_php. > html > > > It seems to me it is either the SSO Server that is doing the logging > in or the SSO server forces the client to do a transparent login over > HTTP... anybody know which one? > > If it is the SSO Server that is doing the logging in to the external > web app, how would you know the authentication mechanism used by that > external app? > If the SSO Server is forcing the client to login... how do they do it > transparently? And securely? > > Can anybody explain the mechanism to make this kind of thing work? > Can it be done in CF? > > -- > David Collie. > Web Developer, IT Services. > The Robert Gordon University. > St Andrew St, Aberdeen. AB25 1HG > > T: 01224 262772 > E: [EMAIL PROTECTED] > W: http://www.rgu.ac.uk/ > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
