Re: [squid-users] SSO and Squid, SAML 2.0 ?
> I am aware of folks successfully using certificate-based > authentication > in production today, but they are still running v3.3-based code (plus > many patches). I am not aware of any regressions in that area, but > since > there is no adequate regression testing, Amos is right: YMMV. > > Alex. > > Ok thanks, I will investigate Fred ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSO and Squid, SAML 2.0 ?
On 10/06/2016 04:17 AM, Amos Jeffries wrote: > On 6/10/2016 9:57 p.m., FredB wrote: >> I can authenticate a user to squid with a certificate ? >> If yes the user name can be saved in squid log file ? > I'm not aware of anyone actually using that feature in the a long time > though. So YMMV. I am aware of folks successfully using certificate-based authentication in production today, but they are still running v3.3-based code (plus many patches). I am not aware of any regressions in that area, but since there is no adequate regression testing, Amos is right: YMMV. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSO and Squid, SAML 2.0 ?
On 6/10/2016 9:57 p.m., FredB wrote: > Hello, > > I found no way to do that, so I changed my mind > I can authenticate a user to squid with a certificate ? I'm thinking about a > smart card > > If yes the user name can be saved in squid log file ? > aking a Maybe. There is some very old logic for checking client certificates. The https_port clientca= parameter enables that. AFAIK you simply configure it with the CA certificate that was used to issue the client certs and the rest is automatic. There are also client cert logformat codes, and the generic %un has code to pull a 'cert username' from a cert. I'm not aware of anyone actually using that feature in the a long time though. So YMMV. HTH Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSO and Squid, SAML 2.0 ?
Hello, I found no way to do that, so I changed my mind I can authenticate a user to squid with a certificate ? I'm thinking about a smart card If yes the user name can be saved in squid log file ? Thanks Fred ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSO and Squid, SAML 2.0 ?
> > > Proxies only support "HTTP authentication" methods: Basic, Digest, > NTLM ,etc. So you either have to use one of those, or perhaps "fake" > the creation of one of those...? > > > eg you mentioned SAML, but gave no context beyond saying you didn't > want AD. So let's say SAML is a requirement. Well that's directly > impossible as it isn't an "HTTP authentication" method, but you > could hit it from the sides... > > > How about putting a SAML SP on your squid server, and it generates > fresh random Digest authentication creds for any authenticated user > (ie same username, but 30char random password), and tells them to > cut-n-paste them into their web browser proxy prompt and "save" > them. That way the proxy is using Digest and it involved a one-off > SAML interaction. I say Digest instead of Basic because Digest is > more secure over cleartext - but it's also noticeably slower than > Basic over latency links, so you can choose your poison there > > > If you're really keen, you can actually do proxy-over-TLS via WPAD > with Firefox/Chrome - at which point I'd definitely recommend Basic > for the performance reasons ;-) > Hi, I'm using Digest now, with a large network for me it's fast enough (more than 100 users), we remove BASIC identification for security reasons and the web browsers aren't all in AD. The point about SSO is to remove the popup with a web portal (Identification for all internal websites + Internet proxy) I mentioned SAML, and yes there is no real context :) because I'm just searching informations, in my company a team thinks about SAML for the portal (SSO Intranet) so I thought why not ? I guess some companies are using identifications with a web portal ? No ? Fred ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSO and Squid, SAML 2.0 ?
On Tue, Sep 20, 2016 at 8:39 PM, FredB wrote: > I'm searching a way to use a secure SSO with Squid, how did you implement > the authenticate method with an implicit proxy ? > I'm reading many documentations about SAML, but I found nothing about Squid > > I guess we can only do something with cookies ? > Hi Fred Proxies only support "HTTP authentication" methods: Basic, Digest, NTLM ,etc. So you either have to use one of those, or perhaps "fake" the creation of one of those...? eg you mentioned SAML, but gave no context beyond saying you didn't want AD. So let's say SAML is a requirement. Well that's directly impossible as it isn't an "HTTP authentication" method, but you could hit it from the sides... How about putting a SAML SP on your squid server, and it generates fresh random Digest authentication creds for any authenticated user (ie same username, but 30char random password), and tells them to cut-n-paste them into their web browser proxy prompt and "save" them. That way the proxy is using Digest and it involved a one-off SAML interaction. I say Digest instead of Basic because Digest is more secure over cleartext - but it's also noticeably slower than Basic over latency links, so you can choose your poison there If you're really keen, you can actually do proxy-over-TLS via WPAD with Firefox/Chrome - at which point I'd definitely recommend Basic for the performance reasons ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSO and Squid, SAML 2.0 ?
> Hi Fred, > I assume that by "implicit" you mean "transparent" or > "interception". Short answer, not possible: there is nothing to > anchor > cookies to. It could be possible to fake it by having an auxiliary > website doing standard SAML and feeding a database of associations > userid-ip. It will fail to account for cases where multiple users > share the same IP, but that doesn't stop many vendors from caliming > they do "transparent authentication". > Hi Kinkie, No, sorry, I mean explicit (not transparent) And yes, I have some multiple users with the same IP Regards Fred ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSO and Squid, SAML 2.0 ?
Hi Fred, I assume that by "implicit" you mean "transparent" or "interception". Short answer, not possible: there is nothing to anchor cookies to. It could be possible to fake it by having an auxiliary website doing standard SAML and feeding a database of associations userid-ip. It will fail to account for cases where multiple users share the same IP, but that doesn't stop many vendors from caliming they do "transparent authentication". On Tue, Sep 20, 2016 at 9:58 AM, FredB wrote: > I forgot, if possible a method without active directory > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSO and Squid, SAML 2.0 ?
I forgot, if possible a method without active directory ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSO and Squid, SAML 2.0 ?
Hello All, I'm searching a way to use a secure SSO with Squid, how did you implement the authenticate method with an implicit proxy ? I'm reading many documentations about SAML, but I found nothing about Squid I guess we can only do something with cookies ? Anyone know if it's possible? Thanks Regards Fred ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users