Hi Sharpy, thanks a lot for your detailed response – especially the reference to Gluu.
I already played around with mod_auth_openidc. Some things I’m struggling with: I still want to be able to Login into the application without Gluu/SSO-functionality – and some direct actions must be accessible to everyone. Therefore I cannot enter the (not SSO-based) login page "/cgi-bin/WebObjects/MyApp.woa" of the WO application in mod_auth_openidc (using <Location> directive). Peer > Am 25.02.2020 um 11:15 schrieb getsh...@gmail.com: > > Hi Peer, > > I’ve recently replaced our end of life SSO implementation (CoSign) with > OpenID Connect via mod_auth_openidc. > > I went with Gluu as the OICD provider (https://www.gluu.org/ > <https://www.gluu.org/>). I assume mod_auth_openidc works with any compliant > OIDC provider including Auth0. > > There's nothing really WO’ey about this, in fact there were no changes > required to application code, only httpd configuration. I was able to map the > authenticated username to the “remote_user” header where our applications > already expect the username to be, allowing my rudimentary access control to > continue to work. > > A provider’s access token can potentially deliver all manner of data that > could describe a user’s access privileges and identity and I hope to use Gluu > to describe (or derive from AD) user access privileges which can then deliver > a rich access token to my WO apps via httpd/mod_auth_openidc. > > Until then I’m using it simply to require authentication on certain paths > using Location and LocationMatch directives as you would with any other httpd > AuthType. > > Sharpy. > > >> On 25 Feb 2020, at 6:48 pm, Peer Sandtner via Webobjects-dev >> <webobjects-dev@lists.apple.com <mailto:webobjects-dev@lists.apple.com>> >> wrote: >> >> Hello, everybody, >> >> I am faced with the requirement to integrate SSO into an existing WO >> application with own user/rights management. >> >> The (B2B) WO application is currently already used by different integration >> partners who authenticate their users in the WO application by >> username/password and then get back a WOSession URL to which the user's >> browser is then redirected. >> >> The first integration will probably be based on SAML 2, since the partner >> already uses this for itself. Unfortunately I have no experience with SSO >> and came across auth0.com <http://auth0.com/> during my research. However, >> it is not yet clear to me whether and to what extent the requirements can be >> fulfilled with it. >> >> At the moment I assume that in the end I have to do a mapping between the >> received data from the ID-Provider and the existing users in my database and >> then log the user into my WO-application as usual. >> >> Does anyone have any tips on how to integrate auth0.com <http://auth0.com/> >> into a WO application? >> >> I also came across https://github.com/zmartzone/mod_auth_openidc >> <https://github.com/zmartzone/mod_auth_openidc>. Does this simplify the >> integration of auth0.com <http://auth0.com/> or is it better to do it >> "directly" via the Java libraries of auth0.com <http://auth0.com/>. >> >> I'm sorry - questions about questions ;-) >> >> I am grateful for every hint... >> Peer >> >> _______________________________________________ >> Do not post admin requests to the list. They will be ignored. >> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com >> <mailto:Webobjects-dev@lists.apple.com>) >> Help/Unsubscribe/Update your Subscription: >> https://lists.apple.com/mailman/options/webobjects-dev/getsharp%40gmail.com >> <https://lists.apple.com/mailman/options/webobjects-dev/getsharp%40gmail.com> >> >> This email sent to getsh...@gmail.com >
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
