Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
modauthtkt-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
modauthtkt-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: Mod_auth_tkt SSO Usage (rahul)
2. Re: Mod_auth_tkt SSO Usage (Peter Karman)
3. Re: Mod_auth_tkt SSO Usage (rahul)
----------------------------------------------------------------------
Message: 1
Date: Wed, 9 May 2018 18:01:03 +0530
From: rahul <ra...@agniinfo.com>
To: Mike Heins <m...@heins.net>,
modauthtkt-users@lists.sourceforge.net
Subject: Re: [modauthtkt-users] Mod_auth_tkt SSO Usage
Message-ID: <888c9b60-dd26-a88f-ff3d-f5ad16284...@agniinfo.com>
Content-Type: text/plain; charset=utf-8
Mike,
This is our scenario
We have a number of apps to unify under SSO. A couple of them depend on
.htaccess login. Rest depend on a form-based login.
Our login URL is the default mod_auth_tkt login script that also happens
to generate the tickets.
On accessing a protected resource it correctly redirects us to the login
URL.
On successful login, the .htaccess based app lets us through AS
EXPECTED. Only when it comes to the apps sitting behind a form-based
login are we facing a problem. It redirects us to the login form of that
app. It doesnt pass the mod_auth_tkt login credentials to this login
form, to allow us through. Which is what we want. Does mod_auth_tkt
support this? Or we have to temper with the individual apps?
And again thanks for replying.
Rahul
On Wednesday 09 May 2018 04:03 PM, Mike Heins wrote:
> Quoting rahul (ra...@agniinfo.com):
>> Peter,
>>
>> Thanks for replying.
>>
>> 1) I have configured the Apache conf to include the Server
>> directive(TKTAuthSecret) and Directory directives(AuthType/require and
>> TKTAuthLoginURL). Is that all that's required for a basic setup?
> You need an application that will issue tickets after authentication,
> which are cookies that are constructed using the secret as well as
> the resource identifier.
>
>> 2) However, Apache still redirects me to the login form of the web app
>> which seems reasonable, given that Apache/mod_auth_tkt doesnt know how
>> to pass the login credentials to a random (third party) web app form,
>> like, say NextCloud. Am I missing something here?
> Assuming your application has issued a ticket after a login, the
> "credentials" are simply a cookie that is automatically presented to
> any URL in scope. mod_auth_tkt checks that cookie when you arrive at a
> URL requiring mod_auth_tkt authentication. If you have the right
> ticket, you get the resources, otherwise you are bounced to the
> TktAuthLoginURL.
>
>> 3) And finally, wouldn't plugging a custom mod_auth_tkt script with the
>> individual web apps be a lot more tedious, as each app runs into
>> hundreds of thousands of lines of code. Is there an easy way out?
> Again, if you'll refer to my first post, it isn't something that you
> use in your app. It just is used to determine if Apache is going
> to authorize that resource. Go/no go. If you aren't authorized, you
> get bounced to the URL to allow you to log in.
>
>> Regards,
>> Rahul
>>
>>
>> On Monday 07 May 2018 12:59 PM, rahul wrote:
>>> Hi guys! Before I begin, I need to make it clear I'm not well-versed
>>> with web programming. (I am primarily a Linux Admin). In particular, I'm
>>> not sure I understand how the session/cookie part of mod_auth_tkt is
>>> supposed to work.
>>>
>>> I am looking to implement SSO over a bunch of open-source applications
>>> sitting on two machines. I have so far managed to successfully install
>>> the module and have customized it to authenticate against an LDAP
>>> Server. On a successful login I'm redirected to the login page of the
>>> protected web app resource. My confusion is this. Do I need to modify
>>> the default perl script for logging in to each of the apps that Im
>>> looking to have under SSO. I tried using the Perl WWW::Mechanize module
>>> to have it automatically login on each app on a successful mod_auth_tkt
>>> login. I was however unable to transfer the mechanize session info to
>>> the browser. Felt like I was missing something very basic.
>>>
>>> I am only looking for some pointers on how SSO is actually implemented
>>> in the module on third-party apps that are possibly written in PHP,
>>> Perl, etc. Couldn't find relevant info on the web after days of
>>> searching. It would be great if someone could just pitch in with some
>>> help. Thanks.
>>>
>>> Regards,
>>>
>>> Rahul S
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> modauthtkt-users mailing list
>>> modauthtkt-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> modauthtkt-users mailing list
>> modauthtkt-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>
------------------------------
Message: 2
Date: Wed, 9 May 2018 08:50:25 -0500
From: Peter Karman <pe...@peknet.com>
To: modauthtkt-users@lists.sourceforge.net
Subject: Re: [modauthtkt-users] Mod_auth_tkt SSO Usage
Message-ID: <df8dcf30-14d6-1490-f441-f9395c2b4...@peknet.com>
Content-Type: text/plain; charset=utf-8; format=flowed
rahul wrote on 5/9/18 7:31 AM:
> On successful login, the .htaccess based app lets us through AS
> EXPECTED. Only when it comes to the apps sitting behind a form-based
> login are we facing a problem. It redirects us to the login form of that
> app. It doesnt pass the mod_auth_tkt login credentials to this login
> form, to allow us through. Which is what we want. Does mod_auth_tkt
> support this? Or we have to temper with the individual apps?
>
If your application has its own login form, and it does not support Apache
Basic
Auth as an alternative, then no, mod_auth_tkt will not work.
mod_auth_tkt is all about the cookie and the shared secret. If the application
manages its own authentication and its own session, then the mod_auth_tkt
cookie
is simply ignored.
--
Peter Karman . he/him/his . 785.337.0405 . https://karpet.github.io/
------------------------------
Message: 3
Date: Wed, 9 May 2018 19:24:44 +0530
From: rahul <ra...@agniinfo.com>
To: pe...@peknet.com, modauthtkt-users@lists.sourceforge.net
Subject: Re: [modauthtkt-users] Mod_auth_tkt SSO Usage
Message-ID: <54be721f-b194-d569-0da5-275d89b98...@agniinfo.com>
Content-Type: text/plain; charset=utf-8
That clears things. Thanks.
Rahul
On Wednesday 09 May 2018 07:20 PM, Peter Karman wrote:
> rahul wrote on 5/9/18 7:31 AM:
>
>> On successful login, the .htaccess based app lets us through AS
>> EXPECTED. Only when it comes to the apps sitting behind a form-based
>> login are we facing a problem. It redirects us to the login form of that
>> app. It doesnt pass the mod_auth_tkt login credentials to this login
>> form, to allow us through. Which is what we want. Does mod_auth_tkt
>> support this? Or we have to temper with the individual apps?
>>
>
>
> If your application has its own login form, and it does not support
> Apache Basic Auth as an alternative, then no, mod_auth_tkt will not work.
>
> mod_auth_tkt is all about the cookie and the shared secret. If the
> application manages its own authentication and its own session, then
> the mod_auth_tkt cookie is simply ignored.
>
------------------------------
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
------------------------------
Subject: Digest Footer
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
------------------------------
End of modauthtkt-users Digest, Vol 34, Issue 3
***********************************************
