This is just a guess, but make sure that you have cosign protection
turned off for the the validation URL (/cosign/valid) on your
cosign-protected web server, and make sure you have the cosign
validation handler turned on for that URL. For example, if you are
using mod_cosign for Apache HTTP Server,
<Location /cosign/valid>
SetHandler cosign
CosignProtected Off
Allow from all
Satisfy any
</Location>
But, to answer your question...
The service directive is very flexible. But in the case where you want
to authorize only a single service without doing anything fancy, it
would look like this:
service <SERVICE-NAME> <VALIDATION-URL> <FLAGS> <CERTIFICATE-CN>
<SERVICE-NAME> and <CERTIFICATE-CN> are actually regular expressions, so
any regexp metacharacters in them need to be escaped.
You don't say what your cosign service name is, but let's say it is
cosign-portal.local (this would correspond to a "CosignService
portal.local" directive in the configuration for your cosign-protected
web server if you are using mod_cosign for Apache httpd). Likewise,
let's assume that your cosign protected web server is using a
certificate with the common name portal.local in order to authentication
itself to cosignd on your central weblogin servers. Your cosign service
line would then look like this:
service cosign-portal\.local https://portal.local/cosign/valid 0
portal\.local
I see in your example below that you are using HTTP and not HTTPS. I
have changed it to HTTPS for you in the example service line above
because using HTTP is insecure and not recommended.
I recommend using Live HTTP Headers for Firefox (or a similar add-on for
another browser) to see exactly what requests your web browser is
issuing in what sequence, and how each of the web servers responds.
Also check the access logs for both your cosign-protected web server and
your central weblogin server, as there may be clues in there.
I hope this helps.
Mark Montague
ITS Web/Database Team
The University of Michigan
[email protected]
On February 26, 2010 03:48 , Evgeny Morozov <[email protected]> wrote:
> Hi all!
>
> I have problem with test Cosign install. And with entire authentication
> process :)
> Here are my steps:
> I hit http://portal.local. It redirects me to weblogin.local where I
> login. I give admin:admin credentials and then it redirects me back to
> portal.local. The problem is that I have infinite redirects on this
> step. URL looks like http://portal.local/cosign/valid?cosign-list=[many
> symbols]&http://portal.local/cosign/valid?cosign-list=[many
> symbols]&http://portal.local/cosign/valid?... and so on.
>
> Can you tell me how should "service" line look like in cosign.conf for
> this example?
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Cosign-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
>
>
>
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Cosign-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
