[imp] IMP and External Single Sign On systems
Duane Currie
Duane.Currie@acadiau.ca
Thu, 18 Jul 2002 16:18:55 -0300
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
---------------------- multipart/alternative attachment
Does anyone have any experience with integrating IMP with any external
authentication systems?
We're implementing a single web signon solution here, and we wish to have
IMP automatically
operate with that login. However, IMP currently requires the IMAP username
and password in order
to authenticate. The single signon system, however, purposefully does not
allow the transmission
of the password itself to anything other than the single signon system's
login server.
The SSO solution works as a web server plugin to Apache, and is more-or-less
invisible to the
application. It sets REMOTE_USER, and adds a bit more information in HTTP
headers, including
the ticket's value itself.
I've seen a page where someone posted a means of SSO w/password for IMP that
used a MySQL
database to store passwords and some other information, but local policy
here disallows storage
of readable passwords, so that's not really an option. As well, our
password storage is in
other external systems (e.g. NDS, SAM), and not hook-able in order to keep
the database in sync.
Since we upgrade IMP fairly often, I'd also prefer to avoid much in the way
of changes to the IMP
software in order to make this function.
We've come up with a couple of ideas:
1. Provide a SOAP service which uses public key cryptography to provide
the password to
IMP, and initialize IMP's ImpSession structure with that
information.
2. Create a PAM module for the IMAP server to use which accepts and
validates a forwarded
authentication ticket from the SSO service. So, the trick would be
to make IMP think that the
ticket itself is the password, and use the same username. Then the
PAM module would receive
the ticket and can process it from there.
That's two of our cleaner thoughts, but I'm open to any suggestions. So,
before we go ahead with
this, I was wondering if anyone has already worked on or is working on this,
or if there was any
suggestions anyone has.
Thanks,
Duane
---------------------- multipart/alternative attachment
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2600.0" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>Does anyone have any
experience with integrating IMP with any external authentication
systems?</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>We're implementing a
single web signon solution here, and we wish to have IMP
automatically</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>operate with that
login. However, IMP currently requires the IMAP username and password in
order </SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>to
</SPAN></FONT><FONT face=Arial size=2><SPAN
class=480485218-18072002>authenticate. The single signon system, however,
purposefully does not allow the transmission</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>of the password
itself to anything other than the single signon system's login
server.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>The SSO solution
works as a web server plugin to Apache, and is more-or-less invisible to the
</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>application.
It sets REMOTE_USER, and adds a bit more information in HTTP headers,
including</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>the ticket's value
itself.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>I've seen a page
where someone posted a means of SSO w/password for IMP that used a
MySQL</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>database to store
passwords and some other information, but local policy </SPAN></FONT><FONT
face=Arial size=2><SPAN class=480485218-18072002>here disallows storage
</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>of readable
passwords, so that's not really an option. As well, our password storage
is in</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>other external
systems (e.g. NDS, SAM), and not hook-able in order to keep the database in
sync.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>Since we upgrade IMP
fairly often, I'd also prefer to avoid much in the way of changes to the
IMP</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>software in order to
make this function.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>We've come up with a
couple of ideas:</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002> 1. Provide a SOAP service
which uses public key cryptography to provide the password to
</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002> IMP,
and initialize IMP's ImpSession structure with that
information.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>
2. Create a PAM module for the IMAP server to use which accepts and
validates a forwarded</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002>
authentication ticket from the SSO service. So, the trick would be to make
IMP think that the</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002> ticket
itself is the password, and use the same username. Then the PAM module
would receive</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002> the
ticket and can process it from there.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>That's two of our
cleaner thoughts, but I'm open to any suggestions. So, before we go ahead
with</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>this, I was
wondering if anyone has already worked on or is working on this, or if
there was any</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=480485218-18072002>suggestions anyone
has.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002>Thanks,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002>Duane</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=480485218-18072002></SPAN></FONT> </DIV></BODY></HTML>
---------------------- multipart/alternative attachment--