Hi Will, Shibboleth (SAML) can be a nice solution for adding SSO to widely seperated systems...
Regards from Vienna, Richard -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Will Scheidegger Gesendet: Dienstag, 20. Dezember 2011 23:22 An: Magnolia User-List Betreff: Re: [magnolia-user] faking a single sign-on? Hi Richard Thanks for the feedback. I'm thinking along the same lines as you. Slapping the login parameters to the request is definitely not pretty even if the traffic is sent over SSL. The two systems are completely different and also geographically separate. So there is no "quick" solution other than the login parameters. -will On 20.12.2011, at 12:22, Unger, Richard wrote: > Hi Will, > > Interesting Problem - doesn't sound that easy. > > As you say, you could simply pass along the userId, for example as a GET > parameter in the link. The security of such a solution is doubtful, at the > very least I would recommend using encryption --> i.e. extranetA encrypts the > userid using a secret key, extranetB decrypts the userid with the same key. > Not knowing the key, external attackers cannot easily fake logins. By > including a timestamp in the encrypted token you can also prevent "replay > attacks" outside a narrow time-window. > Even this solution will be some work: > --> each link from A to B will have to be rendered including the token > --> the magnolia instance will need a login-module capable of handling > --> the token > > It might be a similar amount of work to set up a "real" identity provider for > SSL. > If your two apps are running on the same server (or nearby) you can use > tomcat SSO, possibly with a tomcat cluster. > If your two apps are running on different servers or use different > architectures, you could use something like Shibboleth/SAML. > In this case you would presumably still need to create a login-module, but > would not need to render the links with any special tokens, or do any > encryption yourself. > > Regards from Vienna, > > Richard > > > -----Ursprüngliche Nachricht----- > Von: [email protected] > [mailto:[email protected]] Im Auftrag von Will > Scheidegger > Gesendet: Dienstag, 20. Dezember 2011 09:11 > An: Magnolia User-List > Betreff: [magnolia-user] faking a single sign-on? > > Dear Magnolians > > We were asked if we could "connect" two separate extranets in the manner that > when a user is logged into extranet A (not Magnolia) he/she can only click on > a link to access extranet B (Magnolia CE) without further login. Now, this > could be achieved quite easily by passing along the mgnlUserId and mgnlPSWD > parameters, but I was wandering if there are other ways to do this without > implementing a full blown single sign on solution? > > Thanks for your pointers! > > -will > > > > ---------------------------------------------------------------- > For list details, see > http://www.magnolia-cms.com/community/mailing-lists.html > Alternatively, use our forums: http://forum.magnolia-cms.com/ To > unsubscribe, E-mail to: <[email protected]> > ---------------------------------------------------------------- > > > > > > ---------------------------------------------------------------- > For list details, see > http://www.magnolia-cms.com/community/mailing-lists.html > Alternatively, use our forums: http://forum.magnolia-cms.com/ To > unsubscribe, E-mail to: <[email protected]> > ---------------------------------------------------------------- > ---------------------------------------------------------------- For list details, see http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <[email protected]> ---------------------------------------------------------------- ---------------------------------------------------------------- For list details, see http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <[email protected]> ----------------------------------------------------------------
