Chris Beer <[email protected]> writes: > In DLSS, we're working on an application that allows public access to > some material, but WebAuthed users may receive additional access based > on SUnet ID or workgroups. We've successfully added WebAuth to our > application. When we require WebAuth across the whole application, > everything works as expected (users are prompted by webauth as-needed, > the application receives the WebAuth credentials, etc). When we use > WebAuthOptional to let anonymous/public users into the website, our > application does not receive the WebAuth information from users who > signed in to WebAuth through a different website.
Correct. WebAuth authentication is per web site, so your site has no way (by design) of knowing whether the user is signed on to a different site. > Has anyone else run into this problem before? Is there a work-around we > should use (a .stanford.edu cookie that could tell us the user is > WebAuth-able, a graceful way to 'try' WebAuth without interrupting the > user, etc)? In the meantime, we're requiring the user to explicitly > sign-in to the application, but it would be nice to make this a seamless > SSO process. I'm afraid that you have to ask the user to explicitly sign in. I'm reluctant to add a domain cookie saying that the user has single sign-on cookies because this won't reliably work. If, for example, the user authenticated with Negotiate-Auth, they will never have single sign-on cookies, but they'll still be able to authenticate to any new site without a password. This model (where you're logged in unauthenticated by default and can click on login to authenticate as yourself) is a very common pattern that I think users already expect, so I don't think you're really missing that much by not being able to know in advance if the user can sign in without a password. (Personally, as a user, I actually prefer having an explicit login link.) -- Russ Allbery <[email protected]> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
