On Tue, Sep 20, 2016 at 8:39 PM, FredB <fredbm...@free.fr> wrote:

> I'm searching a way to use a secure SSO with Squid, how did you implement
> the authenticate method with an implicit proxy ?
> I'm reading many documentations about SAML, but I found nothing about Squid
> I guess we can only do something with cookies ?

Hi Fred

Proxies only support "HTTP authentication" methods: Basic, Digest, NTLM
,etc. So you either have to use one of those, or perhaps "fake" the
creation of one of those...?

eg you mentioned SAML, but gave no context beyond saying you didn't want
AD. So let's say SAML is a requirement. Well that's directly impossible as
it isn't an "HTTP authentication" method, but you could hit it from the

How about putting a SAML SP on your squid server, and it generates fresh
random Digest authentication creds for any authenticated user (ie same
username, but 30char random password), and tells them to cut-n-paste them
into their web browser proxy prompt and "save" them. That way the proxy is
using Digest and it involved a one-off SAML interaction. I say Digest
instead of Basic because Digest is more secure over cleartext - but it's
also noticeably slower than Basic over latency links, so you can choose
your poison there

If you're really keen, you can actually do proxy-over-TLS via WPAD with
Firefox/Chrome - at which point I'd definitely recommend Basic for the
performance reasons ;-)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
squid-users mailing list

Reply via email to