Thank you very much Brian, this is a great solution. I have tested it in our project and it works perfectly.
I apologize if I disturbed, in fact in the file cosign.conf.5 this possibility was described, but the project is old and the current configuration did not foresee the use of regular expressions. In the next release I think I will use them as you indicated. Thank you Letizia Siri Da: Brian Rahn <bdr...@umich.edu> Inviato: mercoledì 30 giugno 2021 16:42 A: Siri Letizia Angela <letiziaangela.s...@italtel.com> Cc: cosign-discuss@lists.sourceforge.net Oggetto: Re: Cosign cookie question We solve that in our own installation with a default rule that uses regular expressions: service cosign-(.*) https://$1.umich.edu/cosign/valid<http://1.umich.edu/cosign/valid> 0 (.*)\.umich.edu<http://umich.edu> cosign-$1 The server running www.umich.edu<http://www.umich.edu> has a service name of cosign-www. Users are redirected to https://www.umich.edu/cosign/valid. The servers use their www.umich.edu<http://www.umich.edu> certificate to connect back to cosignd. That means new services can join the Cosign SSO without any changes on the Cosign side. Brian Rahn On Wed, Jun 30, 2021 at 4:53 AM Siri Letizia Angela <letiziaangela.s...@italtel.com<mailto:letiziaangela.s...@italtel.com>> wrote: Hi Brian, Maybe we used improperly cosign, we wanted to avoid a service architecture being exposed in the centralized configuration of the cosignd daemon, at the same time we wanted to protect all components of the service from unauthenticated access and share realm. This is a distributed system where the centralized cosignd daemon is delivered with its own rpm while the services are released separately, so we wanted to avoid a contextual update of the two. As said I have separated the service into two services, so this is the right direction, isn't it? Thank you very much for your attention and for quick replying. Letizia Siri Da: Brian Rahn <bdr...@umich.edu<mailto:bdr...@umich.edu>> Inviato: martedì 29 giugno 2021 19:20 A: Siri Letizia Angela <letiziaangela.s...@italtel.com<mailto:letiziaangela.s...@italtel.com>> Cc: cosign-discuss@lists.sourceforge.net<mailto:cosign-discuss@lists.sourceforge.net> Oggetto: Re: Cosign cookie question I don't believe there was a direct effort to make the filters incompatible. They were developed separately to meet the same standard. That said, the filters will keep separate cookie caches each requiring their own rechecks through separate connection pools. They are separate services, even if you name them the same. I'm not sure what you gain by mixing them. Brian Rahn
_______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
