Ticket-based access control across multiple domains?

[Larry Leszczynski <la...@emailplus.org>]

Hi all -

I've been looking into designs for a mod_perl cookie-based "single
sign-on" kind of authentication system that would use a central
authentication server across multiple products.  I've been looking at
things like Apache::TicketAccess, Apache::AuthTicket, Authen::Ticket,
etc., but they all appear to be designed around generating cookies for a
single domain, while in my case I've got products in multiple domains,
e.g.:
   product1.domain.com
   product2.domain.com
   product3.otherdomain.com

I'm figuring I'd need to do some extra redirection and cookie translation
so that I can have (e.g. to get to product3) ticketmaster.domain.com do
the autorization, set a master "I'm authenticated" cookie, redirect to
ticketslave.otherdomain.com, which would have to recognize the master
"domain.com" authentication info and set a "otherdomain.com"
authentication cookie that product3 will recognize...

Does anyone know of existing modules out there that might do what I need,
or have general ideas on how to approach the problem?


Thanks!
Larry Leszczynski


-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

RE: Ticket-based access control across multiple domains?

[Clayton Cottingham <dr...@telus.net>]

one place used to do something like this

person logs onto <domain1> via form
form submits to current domain, <domain1>
<domain1> one passes cgi to <masterdomain>
<masterdomain> script loads on clients computer
set cookie for <masterdomain>


client can now surf to all sub domains via a small check master domain
cookie


-----Original Message-----
From: Perrin Harkins [mailto:perrin@elem.com]
Sent: Wednesday, March 24, 2004 11:08 AM
To: Larry Leszczynski
Cc: mod_perl List
Subject: Re: Ticket-based access control across multiple domains?


On Wed, 2004-03-24 at 10:47, Larry Leszczynski wrote:
> I've been looking into designs for a mod_perl cookie-based "single
> sign-on" kind of authentication system that would use a central
> authentication server across multiple products.

Ask Bjorne Hansen and Robert Spier gave a presentation about the single
sign-on system used by cpan.org at OSCON.  There may be source
available.

It's not really very hard to build one.  The way you build it will vary
depending on your requirements.  It's definitely easier if you can
access some shared resource (like a central database) so that all you
need to pass around is a ticket that each domain can use to lookup the
user in the shared db.

- Perrin


--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html




-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: Ticket-based access control across multiple domains?

[Perrin Harkins <pe...@elem.com>]

On Wed, 2004-03-24 at 10:47, Larry Leszczynski wrote:
> I've been looking into designs for a mod_perl cookie-based "single
> sign-on" kind of authentication system that would use a central
> authentication server across multiple products.

Ask Bjorne Hansen and Robert Spier gave a presentation about the single
sign-on system used by cpan.org at OSCON.  There may be source
available.

It's not really very hard to build one.  The way you build it will vary
depending on your requirements.  It's definitely easier if you can
access some shared resource (like a central database) so that all you
need to pass around is a ticket that each domain can use to lookup the
user in the shared db.

- Perrin


-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html