Re: [Cosign-discuss] Does Cosign *need* to use LDAP?

[Liam Hoekenga]

On Tue, Jul 29, 2014 at 1:09 AM, Christian Seberino 
wrote:

> If the 1st web app has its own login systemcan that be used
> instead of LDAP?
>

Something that Mark didn't mention, but I feel is important to point out...

If you have multiple web apps that can authenticate against LDAP configured
to authenticate against LDAP, all that gives you is a common credential
store.  (i.e. the account names and passwords are the same for each
application).  It does not give you SSO.  You would still need to sign into
each application separately.

All I want is users to authenticate against one web app and not have
> to authenticate against the second web app


If the applications can be configured to use some sort of SSO (Cosign,
Shibboleth, whatever), the SSO is the webapp that first web app.  Once
they've authenticated against the SSO, any other application configured to
use the SSO shouldn't require authentication.

-- 
Liam Hoekenga
ITS Identity and Access Management
The University of Michigan
li...@umich.edu
--
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk___
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss

Re: [Cosign-discuss] Does Cosign *need* to use LDAP?

[Mark Montague]

On 2014-07-29, 1:09, Christian Seberino wrote:
> Does Cosign *need* to use LDAP?

No.

cosign sends users to its central weblogin server to authenticate. The 
central weblogin server CGI will put up a form asking for credentials, 
verify those credentials using one or more "factors" (authentication 
backends), and, if all the factors are satisfied, create a cosign 
session for the user.  The user is then sent back to the web service 
they were originally trying to access.

The authentication backends can be anything that can be written to plug 
in to cosign's factor architecture, including Kerberos (MIT or Microsoft 
Active Directory), LDAP (normal or Microsoft Active Directory), Friend 
database, PAM modules (so, pretty much anything), X.509 client 
certificates, arbitrary external databases, and much more.


> All I want is users to authenticate against one web app and not have
> to authenticate against the second web app.

cosign will not work for this.  cosign works by having the user 
authenticate against it, and then the user does not have to authenticate 
against either of the two web apps.  But see below.


> If the 1st web app has its own login systemcan that be used
> instead of LDAP?

cosign will not let a web application put up its own login page and 
authenticate the user and then rely on that web application's 
authentication results.

However, if you have a particular web application which has a database 
that is accessible from the central weblogin server, and that database 
stores authentication information, you could write a cosign factor that 
connects to that database and performs the same series of steps to 
authenticate the user as that particular web application would perform 
if it was authenticating the user.  But note that after this although 
the user would be authenticated to cosign, they'd still need to return 
to the web application so that it could establish its own session for 
the user, and you'd still need to configure the web application 
appropriately for cosign.

Let me know if this isn't clear.

-- 
   Mark Montague
   m...@catseye.org


--
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
___
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss