You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by James G Smith <JG...@TAMU.Edu> on 2004/03/24 18:26:59 UTC

Re: Ticket-based access control across multiple domains?

Larry Leszczynski <la...@emailplus.org> wrote:
>Hi all -
>
>I've been looking into designs for a mod_perl cookie-based "single
>sign-on" kind of authentication system that would use a central
>authentication server across multiple products.  I've been looking at
>things like Apache::TicketAccess, Apache::AuthTicket, Authen::Ticket,
>etc., but they all appear to be designed around generating cookies for a
>single domain, while in my case I've got products in multiple domains,
>e.g.:
>   product1.domain.com
>   product2.domain.com
>   product3.otherdomain.com

One reason Authen::Ticket only works with a single top-level domain
is due to the nature of cookies and HTTP -- the domain for a cookie
must have at least one dot in it (at least if .edu, .com, .net, etc.
- not sure about country-specific domains).  At the time, I didn't
know how to do it differently (and still don't, really, but figure
there must be a way if Microsoft's Passport works).

>Does anyone know of existing modules out there that might do what I need,
>or have general ideas on how to approach the problem?

One other way to do it is to look at Shibboleth (federated
authorization):

    http://shibboleth.internet2.edu/

It's not written in Perl, but I (for one) would probably welcome a
Perl implementation :)

The way to handle authentication with this: if a person is
authorized, they have authenticated to the central service;
shibboleth allows the client (of shibboleth - you're server) to
require the identity of the person in order for that person to access
the service.  These two things together give you authentication
without requiring any server to know the password other than the
shibboleth server.

Shibboleth might be overkill for what you want.
-- 
James Smith <JG...@TAMU.Edu>, 979-862-3725
Texas A&M CIS Operating Systems Group, Unix

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html