Single Sign On
Maybe use Kerberos/LDAP for that?
- ✔ openresty package with extra lua libs needed for sso
- ✔
presencesync_cacheserver
- ✔ docs
- ✔ real-life testing
- ✗ SSO on IRC (cc @mareo)
- ✗ SSO on dj_ango (see #78)
- ✗ SSO on paste
Comments (16)
-
-
- marked as minor
Kerberos/LDAP is maybe not the best if we want to keep prologin-sadm simple and stupid.
-
- removed responsible
IP based authentication for django apps may be interesting:
- User goes to http://app/
- Django app does DNS reverse lookup to get hostname of the request originator
- Django app looks into udb to get the user logged into this hostname
- Django app authenticates this user
-
reporter FYI, you might want to investigate SSO solutions that require minimal application modifications so that you could get it to somewhat work with non-Django apps (if you limit to Django apps, having nice SSO is easy, I'm sure there are already premade apps for that).
For example, you could use openresty as the reverse proxy for web apps (nginx + lua, basically) and implement the SSO layer in there. That would allow you to pass a trusted X-User-Login header to applications and use that directly for auth.
In any case, limiting to Django apps really narrows the scope, and I'm not sure if we want this (what about Redmine or wiki for example?)
-
reporter As an example, googling for "openresty sso" gives me interesting results like https://github.com/Kloadut/SSOwat
-
-
assigned issue to
Started in 115533e. Needs a better cache in a standalone presencesync client.
-
assigned issue to
-
b494dc9 simplifies the lua scripts by putting lua libs into openresty. Stills need the presencesync cache, it's coming next.
-
presencesync cache done, needs to update docs on installing & enabling it. Also, bug: the sso/ folder is not installed in /etc/nginx by any install.py target!
-
- edited description
-
Some nginx & django stuff in pull request #8.
-
Mostly done now pull request #8 is merged. Will check the paste service before closing that.
-
- changed status to on hold
Waiting for paste to be updated.
-
- changed status to open
-
- edited description
-
- marked as enhancement
- removed responsible
- edited description
@mareo started hacking around UnrealIRCd to add SSO support (auto oper/voice/channel protecion). Needs to be polished & fully integrated into setup (aka documented).
-
- edited description
- Log in to comment
We're going to try web SSO using SSL client certs saved in UDB.