Signature Based Single Sign-On Framework Documentation Sheet. SSO Agent php- The content of this document is related to the



Similar documents
EXT: Single Sign-On. This document is published under the Open Content License available from

Configuring IBM HTTP Server as a Reverse Proxy Server for SAS 9.3 Web Applications Deployed on IBM WebSphere Application Server

DEPLOYMENT OF I M INTOUCH (IIT) IN TYPICAL NETWORK ENVIRONMENTS. Single Computer running I m InTouch with a DSL or Cable Modem Internet Connection

Installing an SSL certificate on the InfoVaultz Cloud Appliance

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS

Webmail Using the Hush Encryption Engine

Contents Set up Cassandra Cluster using Datastax Community Edition on Amazon EC2 Installing OpsCenter on Amazon AMI References Contact

FERMILAB CENTRAL WEB HOSTING SINGLE SIGN ON (SSO) ON CWS LINUX WITH SAML AND MOD_AUTH_MELLON

JOSSO 2.4. Internet Information Server (IIS) Tutorial

Tableau Server Trusted Authentication

Extending Remote Desktop for Large Installations. Distributed Package Installs

MySQL Quick Start Guide

How To - Implement Single Sign On Authentication with Active Directory

Integrations. Help Documentation

Tableau Server Trusted Authentication

Copyright: WhosOnLocation Limited

Deploying the BIG-IP System with Oracle E-Business Suite 11i

*Described in the Release Notes. Generally this step will be performed by the admin end-users.

MIGS Payment Client Installation Guide. EGate User Manual

Configuration Worksheets for Oracle WebCenter Ensemble 10.3

OneLogin Integration User Guide

Using Network Attached Storage with Linux. by Andy Pepperdine

Installation Guide for WebSphere Application Server (WAS) and its Fix Packs on AIX V5.3L

Contents. 1. Infrastructure

Magento Search Extension TECHNICAL DOCUMENTATION

mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG mkasper@monzoon.net

Integrating EJBCA and OpenSSO

Configuring. Moodle. Chapter 82

Release Notes RSA Authentication Agent for Web for IIS 7.0, 7.5, and 8.0 Web Server

Secure Messaging Server Console... 2

NSi Mobile Installation Guide. Version 6.2

EZcast technical documentation

INSTALLING KAAZING WEBSOCKET GATEWAY - HTML5 EDITION ON AN AMAZON EC2 CLOUD SERVER

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Introduction to ServerIron ADX Application Switching and Load Balancing. Module 6: Content Switching (CSW) Revision 0310

Introduction Connecting Via FTP Where do I upload my website? What to call your home page? Troubleshooting FTP...

XIA Configuration Server

Livezilla How to Install on Shared Hosting By: Jon Manning

When choosing where to install and run the log analyzer, be aware that it requires access to the following log files:

VMware Identity Manager Connector Installation and Configuration

Backing Up and Restoring Data

CommandCenter Secure Gateway

Installation Procedure SSL Certificates in IIS 7

About This Document 3. Integration Overview 4. Prerequisites and Requirements 6

MySQL Quick Start Guide

HOWTO: Setting up WP7 monitoring tools with GLite

Browser Client 2.0 Admin Guide

CN=Monitor Installation and Configuration v2.0

Deploying the BIG-IP System v10 with Oracle Application Server 10g R2

SchoolBooking SSO Integration Guide

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Security Provider Integration Kerberos Authentication

MS 10972A Administering the Web Server (IIS) Role of Windows Server

SAML single sign-on configuration overview

MultiValue Dashboard. Installation Guide

SSO Plugin. HP Service Request Catalog. J System Solutions. Version 3.6

LICENSE4J FLOATING LICENSE SERVER USER GUIDE

IUCLID 5 Guidance and Support

Tableau Server Administrator Guide

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

This section includes troubleshooting topics about single sign-on (SSO) issues.

Configuring Apache HTTP Server With Pramati

Tableau Server Administrator Guide

CA NetQoS Performance Center

HRSWEB ActiveDirectory How-To

Integrating OID with Active Directory and WNA

FileCloud Security FAQ

10972-Administering the Web Server (IIS) Role of Windows Server

Novell Access Manager

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

MySQL quick start guide

Tableau Server Administrator Guide

McAfee Directory Services Connector extension

Siteminder Integration Guide

There are numerous ways to access monitors:

Deployment Guide Microsoft IIS 7.0

McAfee One Time Password

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Customizing the SSOSessionTimeout.jsp page for Kofax Front Office Server 3.5.2

Expresso Quick Install

System Area Management Software Tool Tip: Agent Deployment utilizing. the silent installation with Active Directory

Cloud Services. Introduction...2 Overview...2. Security considerations Installation...3 Server Configuration...4

PC-Duo Web Console Installation Guide

Nagios Web Service Checker

ESX 4 Patch Management Guide ESX 4.0

CHAPTER 7 SSL CONFIGURATION AND TESTING

Managed Devices - Web Browser/HiView

Asia Web Services Ltd. (vpshosting.com.hk)

Blue Coat Security First Steps Solution for Integrating Authentication

Running Multiple Shibboleth IdP Instances on a Single Host

FTP, IIS, and Firewall Reference and Troubleshooting

Embedded Based Web Server for CMS and Automation System

Merchant API for PHP libcurl Implementation Guide to the PHP libcurl Examples for Apache Web Server Version 1.0.5

CA Performance Center

CloudOYE CDN USER MANUAL


How to Install Multicraft on a VPS or Dedicated Server (Ubuntu bit)

Transcription:

Signature Based Single Sign-On Framework Documentation Sheet SSO Agent php- The content of this document is related to the Signature Based Single Sign-On Framework available from www.single-signon.com Product Website Version and Status SSO Framework Version Author License http://www.single-signon.com 0.61 1.0 D. Heise, net&works GmbH sso (at) naw.de GPL Verified to Work with SSO-Server Versions TYPO3 : Single Sign-On (naw_single_signon) 0.1.3 Prerequisits OpenSSL, preferrably compiled into PHP [otherwise the OpenSSL executable currently needs to be in the searchpath of the webserver's uid] currently only tested on Unix Servers. currently only tested with Apache. General Remarks Installation + Configuration Download sso-agent-php_latest.tar.gz unpack where needed (depending on your implementation) cd htdocs tar -xzfv sso-agent-php.tar.gz This will extract sigsso.php and sigsso.conf to the current directory. set the file access rights as needed Example (Unix): chmod 500 chown wwwrun:nogroup sigsso.php Now you need to deploy the OpenSSL public key file from your SSO-Server. You may put it in any place accessible from the SSO Agent. Finally, configure the SSO Agent.

Although by time there may be more then one implementation of the SSO Agent, there is a common set of configuration options, typically to be defined in a file called sigsso.conf. In the current sigsso.php, the location of the config file is coded in the php script. To change the location, you need to change the line to the proper value. $configfile="/usr/local/sigsso/etc/sigsso.conf"; The sigsso.php configuration file is divided into subparts: Every part has different options and values, separated by a colon (":"). Whitespaces (blanks etc.) are allowed. Comments are prefixed by the pound sign ("#"). SSO Agent - The Section Key: Possible Values: loglevel 0: no logging 1: errors (tpa_id + user) 2: success and errors (tpa_id + user) 3: errors (tpa_id + user + expires + signature) 4: success and errors (tpa_id + user + expires + signature) public_key tokensfile /path/to/your/public.key /path/to/your/tokensfileused to store the data of used links logfile /path/to/your/logfile [configuration of sigsso.conf, section] Example: loglevel:2 public_key: /path/to/your/public.key tokensfile: tokensfile.txt logfile: sigsso.log sigsso.conf section For each TPA_ID (as configured in the Single Sign-On content element in Typo3), you need to add one line here. Currently this SSO Agent supports two types of TPA Adapters: command line and PHP scripts. The syntax for command line scripts is <tpa_id> followed by ": cmd://" (colon, some optional whitespace, "cmd", colon", slash, slash) and the system call to the TPA Adapter, including parameters. The syntax for PHP scripts is identical, but "php" instead of "cmd".

Normally, each call will require specific parameters, some of them dynamic (i.e. server variables). These can be given, represented by keywords in percent signs. Currently, the following variables are supported by this SSO Agent: Variable Name: Explaination: %remote% %agent% The IP address of the browser The browser's user agent identification string %user% The user name to be logged on to the TPA [configuration of sigsso.conf, section, cmd:// call] Example (command line invocation): MyOwnApp: cmd:///usr/lib/java/bin/java /path/to/tpa_adapter --remote_addr=%remote% --url=https://redirect.url/index.jsp --uid=%user% --moreparameters=anything_you_need Example (PHP invocation): MyOwnPHPApp: php://www/my/script.php --url=https://redirect.url/index.jsp --moreparameters=anything_you_need The PHP-based TPA Adapter does not need to receive the server variables (as listed above) explicitly, since the PHP script will be included and thus the parameters are available directly to the TPA Adapter. SSO Agent - The Section This section allows you to override the default messages that are displayed to the browser in case of an error. Instead of a different message text, you may also give a URL to redirect to; this is recognized by the leading "http://" or "https://". The following table gives the keyword and default message text for each error situation: user_missing tpaid_missing expires_missing Key: Default Value: sigsso: Invocation error - missing USER sigsso: Invocation error - missing TPA_ID sigsso: Invocation error - missing ExpirationTime signature_missing sslkey_missingconf usedtokens_missingconf logfile_missingconf sslkey_missingfile usedtokens_missingfile logfile_missingfile tpaid_unknown usedtokens_allreadyused signature_invalid expires_exeeded tpa_error [sigsso: default errorcodes] sigsso: Invocation error - missing signature sigsso: error in configfile - missing public_ssl_key sigsso: error in configfile - missing tokensfile entry sigsso: error in configfile - missing logfile sigsso: file access error - SSL public key file sigsso: file access error - UsedTokens file sigsso: file access error - log file sigsso: validation error - TPA_ID is invalid or not configured sigsso: validation error - SSO Link has been used before sigsso: validation error - signature invalid sigsso: validation error - SSO Link expired (or system clock out of sync?)! sigsso: An error in the Third Party Application Adapter occurred. It said:

See 3.4.2 for an explaination of the error messages. Example: signature_missing: An error occured while trying to access the application. Please contact your system administrator. expires_exceeded: http://my.errorpages.de/why_expired.html Return Values in case of error Logging + Debugging Increase Logging If a request does reach the SSO Agent, then most likely you will be able to find helpful information by increasing the log level. See "Understanding SSO Agent Error Messages" in the "Signature-Based Single Sign-On Framework" document for details. The place of the logfile is configured in the sigsso.conf. The Log for a successful use of the link/redirect looks like this (loglevel:2) Wed Oct 22 11:29:16 CEST 2003 IP:192.168.1.59 USER:kasper TPA_ID:MyOwnApp At the beginning, the date followed by the users IP, the username itself, and the accessed tpa_id. If something goes wrong the errorcode is attached at the end of the line followed by the errordesciption. Looks like: Wed Oct 22 13:31:19 CEST 2003 IP:192.168.1.59 USER:kasper TPA:MyOwnApp ERROR:31 ERRORTEXT:sigsso: validation error - SSO Link has been used before For a higher loglevel the expiration time and the full signature will be logged too. Implementation Details [optional]./. Limitations, Known Problems, To-Do

Sample Config File # sigsso.conf sample file # 2004-07-04 loglevel:4 # 0: no logging # 1: errors (tpa_id + user) # 2: success and errors (tpa_id + user) # 3: errors (tpa_id + user + expires + signature) # 4: success and errors (tpa_id + user + expires + signature) public_ssl_key: /usr/local/sigsso/etc/sigsso_public.key tokensfile: /usr/local/sigsso/tmp/usedtokens.txt logfile: /var/log/sigsso/sigsso.log externalopenssl: 1 tmp_signature_dir: /tmp tmp_signature_prefix: sign_ user_missing: tpaid_missing: expires_missing: signature_missing: tpaid_unknown: sslkey_missingconf: sslkey_missingfile: usedtokens_missingconf: usedtokens_missingfile: usedtokens_allreadyused: The link to this application has been used before. Please reload the original page, and please do not double-click! signature_invalid: tpa_error: logfile_missingconf: logfile_missingfile: expires_exeeded: owl: php://www/owl/htdocs/index_sso.php --url=http://www.my.server/owl/browse.php chat: php://www/chat/htdocs/phpopenchat/index_sso.php --url=http://www.mychat.server/index.php phpbb: php://www/phpbb/htdocs/index_sso.php --url=http://www.myphpbb.server/index.php wbboard: php://www//wbboard/index_sso.php --url=http://www.my.server/wbboard/index.php otrs: cmd://opt/otrs/bin/cgi-bin/index_sso.pl --remote_addr=%remote% --agent=%agent% --url=http://www.my.server/otrs/index.pl --user=%user% olb: php://www//olbookmarks/index_sso.php --url=http://www.my.server/olbookmarks/index.php # # Note: Although in this example some redirects point to different hostnames, # these hostnames all have to point to this machine. # # If you want to integrate applications on different server machines: # Deploy and configure the SSO Agent on each.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information