Thanks, Richard. I'll look into it! -will
On 21.12.2011, at 15:47, Unger, Richard wrote: > Hi Will, > > Shibboleth (SAML) can be a nice solution for adding SSO to widely seperated > systems... > > Regards from Vienna, > > Richard > > -----Ursprüngliche Nachricht----- > Von: [email protected] > [mailto:[email protected]] Im Auftrag von Will Scheidegger > Gesendet: Dienstag, 20. Dezember 2011 23:22 > An: Magnolia User-List > Betreff: Re: [magnolia-user] faking a single sign-on? > > Hi Richard > > Thanks for the feedback. I'm thinking along the same lines as you. Slapping > the login parameters to the request is definitely not pretty even if the > traffic is sent over SSL. > > The two systems are completely different and also geographically separate. So > there is no "quick" solution other than the login parameters. > > -will > > On 20.12.2011, at 12:22, Unger, Richard wrote: > >> Hi Will, >> >> Interesting Problem - doesn't sound that easy. >> >> As you say, you could simply pass along the userId, for example as a GET >> parameter in the link. The security of such a solution is doubtful, at the >> very least I would recommend using encryption --> i.e. extranetA encrypts >> the userid using a secret key, extranetB decrypts the userid with the same >> key. Not knowing the key, external attackers cannot easily fake logins. By >> including a timestamp in the encrypted token you can also prevent "replay >> attacks" outside a narrow time-window. >> Even this solution will be some work: >> --> each link from A to B will have to be rendered including the token >> --> the magnolia instance will need a login-module capable of handling >> --> the token >> >> It might be a similar amount of work to set up a "real" identity provider >> for SSL. >> If your two apps are running on the same server (or nearby) you can use >> tomcat SSO, possibly with a tomcat cluster. >> If your two apps are running on different servers or use different >> architectures, you could use something like Shibboleth/SAML. >> In this case you would presumably still need to create a login-module, but >> would not need to render the links with any special tokens, or do any >> encryption yourself. >> >> Regards from Vienna, >> >> Richard >> >> >> -----Ursprüngliche Nachricht----- >> Von: [email protected] >> [mailto:[email protected]] Im Auftrag von Will >> Scheidegger >> Gesendet: Dienstag, 20. Dezember 2011 09:11 >> An: Magnolia User-List >> Betreff: [magnolia-user] faking a single sign-on? >> >> Dear Magnolians >> >> We were asked if we could "connect" two separate extranets in the manner >> that when a user is logged into extranet A (not Magnolia) he/she can only >> click on a link to access extranet B (Magnolia CE) without further login. >> Now, this could be achieved quite easily by passing along the mgnlUserId and >> mgnlPSWD parameters, but I was wandering if there are other ways to do this >> without implementing a full blown single sign on solution? >> >> Thanks for your pointers! >> >> -will >> >> >> >> ---------------------------------------------------------------- >> For list details, see >> http://www.magnolia-cms.com/community/mailing-lists.html >> Alternatively, use our forums: http://forum.magnolia-cms.com/ To >> unsubscribe, E-mail to: <[email protected]> >> ---------------------------------------------------------------- >> >> >> >> >> >> ---------------------------------------------------------------- >> For list details, see >> http://www.magnolia-cms.com/community/mailing-lists.html >> Alternatively, use our forums: http://forum.magnolia-cms.com/ To >> unsubscribe, E-mail to: <[email protected]> >> ---------------------------------------------------------------- >> > > > > ---------------------------------------------------------------- > For list details, see http://www.magnolia-cms.com/community/mailing-lists.html > Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, > E-mail to: <[email protected]> > ---------------------------------------------------------------- > > > > > > ---------------------------------------------------------------- > For list details, see http://www.magnolia-cms.com/community/mailing-lists.html > Alternatively, use our forums: http://forum.magnolia-cms.com/ > To unsubscribe, E-mail to: <[email protected]> > ---------------------------------------------------------------- > ---------------------------------------------------------------- For list details, see http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <[email protected]> ----------------------------------------------------------------
