Re: [squid-users] Squid and Single Sign On

From: Fathi Ben Nasr <fathi.engineer@dont-contact.us>
Date: Tue Sep 3 06:21:11 2002

Henrik Nordstrom a écrit :

> Squid understands the URL syntax
>
> http://user:password@server/path/to/file
>
> and will automatically translate into a Basic HTTP authentication when
> forwarding the request to a origin server.
>
> What this means is that you can easily use a redirector helper to add
> login information to forwarded requests.
>
> What is missing from your proposed approach is the "session" concept
> unless you are using some kind of authentication at Squid. What
> defines a "user", and how to connect this with "what login+password
> to use for this site"?

What I meant is user a opens his browser, connects to a site, browses this
site and once hi tries to get in a protected area, his is asked for
credentials.
He continue to browse other intranet servers and each time he gets in a
protected area of one of these intranet sites, his username/password are
used to authenticate him to these areas/web sites.
Squid could be configured to authenticate users and the username/password
the user gives for authenticating to squid are used for autehticating to
all intranet and only intranet/predefined web sites.

>
>
> Blindly forwarding authentication of one site to another is not wise
> from a security point of view. Such forwarding should only be done if
> explicitly enabled for the sites in question.

This is exactly what I need. Transparent authentication for a predefined
list of sites.

>
>
> If using Squid as an accelerator infront of your servers then a
> number of other possibilities are available and quite nice things can
> be done. See for example our eMARA product line.

What is eMARA ?

>
>
> Regards
> Henrik
>
> On Tuesday 03 September 2002 12.37, fathi.engineer@gnet.tn wrote:
>
> > What I want is: once and only once one site have requested
> > user to authenticate himself, squid will request the
> > username/password to the user (as ususal), store them in a
> > secure way and each time the user goes to another web site,
> > squid will use this credentilas to authenticate him against
> > this new site, without requesting the user to enter his
> > credential again.
> > So mainly, can squid act as such a single singon server/proxy
> > and authenticate to certain web servers on behalf of the
> > user ?
> > If so, does apache need to be configured to request basic or
> > digest authentication ?
> > I think if this is possible with apache, it could be also
> > possible with any other httpd like tomcat or others.

(See attached file: smime.p7s)

Received on Tue Sep 03 2002 - 06:21:11 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:02 MST