Aaron Stone wrote: >> to all resources you need/want if you are authorized. Shib is >> working the same, when you authenticate you get some "auth token" >> (i think it is some form of signed cookie). Clearly the app behind >> such an auth mechanism must trust it. >
Actually Shibboleth is just a wrapper around a SSO server like CAS. >>> The Shibboleth IdP does not include an SSO functionality, so >>> authentication has to be handled outside of the IdP by means of >>> an SSO system (like CAS for Tomcat or Pubcookie for Apache) or >>> Tomcat authentication. http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/idp/install-idp-1.3-debian.html#overview CAS: http://www.ja-sig.org/products/cas/index.html A very complex dance is involved in authenticating a user's browser, the SSO service, the webmail service and the IMAP backend against each other while maintaining security against man-in-the-middle attacks. http://www.ja-sig.org/products/cas/overview/cas2_architecture/index.html > Right. I'm OK with that. It's just a matter of the time it takes to > write the code to interface with whatever libraries give us access to > the authentication service. BUT: not only does DBMail have to be extended with a CAS authentication plugin. Also the webmail server of choice has to be CASified and this is actually the hardest work, since it has to implement a full-fledged security proxy talking with the browser, the SSO, *and* DBMail. http://www.ja-sig.org/products/cas/client/index.html > I'm not OK with allowing connections originating from a 'trusted' IP > address to be able to access any account without a password or some > authentication token. You're asking for the NFSv1 security model, > which is to say, insecurity model. Aye. An SSO service is, by definition, deployed in a multi-user, multi-service environment. You can't ignore the inherent complexity of such an environment and the challenges involved without fatally compromising security. :*CU# -- *** Guido A.J. Stevens *** mailto:[EMAIL PROTECTED] *** *** Net Facilities Group *** tel: +31.43.3618933 *** *** Postbus 1143 *** fax: +31.43.3561655 *** *** 6201 BC Maastricht *** http://www.nfg.nl *** Fiber-optic networks physically instantiate and thus explode enlightenment. [ Chun, Control And Freedom, p.98 ] _______________________________________________ DBmail mailing list [email protected] https://mailman.fastxs.nl/mailman/listinfo/dbmail
