[imp] IMP and External Single Sign On systems

Duane Currie Duane.Currie@acadiau.ca
Thu, 18 Jul 2002 16:18:55 -0300 

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

---------------------- multipart/alternative attachment
Does anyone have any experience with integrating IMP with any external
authentication systems?
 
We're implementing a single web signon solution here, and we wish to have
IMP automatically
operate with that login.  However, IMP currently requires the IMAP username
and password in order 
to authenticate.  The single signon system, however, purposefully does not
allow the transmission
of the password itself to anything other than the single signon system's
login server.
 
The SSO solution works as a web server plugin to Apache, and is more-or-less
invisible to the 
application.  It sets REMOTE_USER, and adds a bit more information in HTTP
headers, including
the ticket's value itself.
 
I've seen a page where someone posted a means of SSO w/password for IMP that
used a MySQL
database to store passwords and some other information, but local policy
here disallows storage 
of readable passwords, so that's not really an option.  As well, our
password storage is in
other external systems (e.g. NDS, SAM), and not hook-able in order to keep
the database in sync.
 
Since we upgrade IMP fairly often, I'd also prefer to avoid much in the way
of changes to the IMP
software in order to make this function.
 
We've come up with a couple of ideas:
    1.  Provide a SOAP service which uses public key cryptography to provide
the password to 
         IMP, and initialize IMP's ImpSession structure with that
information.
 
    2.  Create a PAM module for the IMAP server to use which accepts and
validates a forwarded
         authentication ticket from the SSO service.  So, the trick would be
to make IMP think that the
         ticket itself is the password, and use the same username.  Then the
PAM module would receive
         the ticket and can process it from there.
 
That's two of our cleaner thoughts, but I'm open to any suggestions.  So,
before we go ahead with
this, I was wondering if anyone has already worked on or is working on this,
or if there was any
suggestions anyone has.
 
Thanks,
Duane
 

---------------------- multipart/alternative attachment
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


<META content="MSHTML 6.00.2600.0" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>Does anyone have any 
experience with integrating IMP with any external authentication 
systems?</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>We're implementing a 
single web signon solution here, and we wish to have IMP 
automatically</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>operate with that 
login.&nbsp; However, IMP currently requires the IMAP username and password in 
order </SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>to 
</SPAN></FONT><FONT face=Arial size=2><SPAN 
class=480485218-18072002>authenticate.&nbsp; The single signon system, however, 
purposefully does not allow the transmission</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>of the password 
itself to anything other than the single signon system's login 
server.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>The SSO solution 
works as a web server plugin to Apache, and is more-or-less invisible to the 
</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>application.&nbsp; 
It sets REMOTE_USER, and adds a bit more information in HTTP headers, 
including</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>the ticket's value 
itself.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>I've seen a page 
where someone posted a means of SSO w/password for IMP that used a 
MySQL</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>database to store 
passwords and some other information, but local policy </SPAN></FONT><FONT 
face=Arial size=2><SPAN class=480485218-18072002>here disallows storage 
</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>of readable 
passwords, so that's not really an option.&nbsp; As well, our password storage 
is in</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>other external 
systems (e.g. NDS, SAM), and not hook-able in order to keep the database in 
sync.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>Since we upgrade IMP 
fairly often, I'd also prefer to avoid much in the way of changes to the 
IMP</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>software in order to 
make this function.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>We've come up with a 
couple of ideas:</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002>&nbsp;&nbsp;&nbsp;&nbsp;1.&nbsp; Provide a SOAP service 
which uses public key cryptography to&nbsp;provide the password to 
</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IMP, 
and initialize IMP's ImpSession structure with that 
information.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>&nbsp;&nbsp;&nbsp; 
2.&nbsp; Create a PAM module for the IMAP server to use which accepts and 
validates a forwarded</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
authentication ticket from the SSO service.&nbsp; So, the trick would be to make 
IMP think that the</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ticket 
itself is the password, and use the same username.&nbsp; Then the PAM module 
would receive</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; the 
ticket and can process it from there.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>That's two of our 
cleaner thoughts, but I'm open to any suggestions.&nbsp; So, before we go ahead 
with</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>this, I was 
wondering if anyone has already worked on or is working on&nbsp;this, or if 
there was any</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>suggestions anyone 
has.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002>Thanks,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002>Duane</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=480485218-18072002></SPAN></FONT>&nbsp;</DIV></BODY></HTML>

---------------------- multipart/alternative attachment--