Thanks. We'll continue with the explicit login link, then. Chris
On 23 Jul, 2012, at 10:57 , Russ Allbery wrote: > Chris Beer <[email protected]> writes: > >> In DLSS, we're working on an application that allows public access to >> some material, but WebAuthed users may receive additional access based >> on SUnet ID or workgroups. We've successfully added WebAuth to our >> application. When we require WebAuth across the whole application, >> everything works as expected (users are prompted by webauth as-needed, >> the application receives the WebAuth credentials, etc). When we use >> WebAuthOptional to let anonymous/public users into the website, our >> application does not receive the WebAuth information from users who >> signed in to WebAuth through a different website. > > Correct. WebAuth authentication is per web site, so your site has no way > (by design) of knowing whether the user is signed on to a different site. > >> Has anyone else run into this problem before? Is there a work-around we >> should use (a .stanford.edu cookie that could tell us the user is >> WebAuth-able, a graceful way to 'try' WebAuth without interrupting the >> user, etc)? In the meantime, we're requiring the user to explicitly >> sign-in to the application, but it would be nice to make this a seamless >> SSO process. > > I'm afraid that you have to ask the user to explicitly sign in. I'm > reluctant to add a domain cookie saying that the user has single sign-on > cookies because this won't reliably work. If, for example, the user > authenticated with Negotiate-Auth, they will never have single sign-on > cookies, but they'll still be able to authenticate to any new site without > a password. > > This model (where you're logged in unauthenticated by default and can > click on login to authenticate as yourself) is a very common pattern that > I think users already expect, so I don't think you're really missing that > much by not being able to know in advance if the user can sign in without > a password. (Personally, as a user, I actually prefer having an explicit > login link.) > > -- > Russ Allbery <[email protected]> > Technical Lead, ITS Infrastructure Delivery Group, Stanford University
