Authentication - How to adapt to Single Sign On Environment (siteminder)

123 views
Skip to first unread message

Sascha Boch

unread,
Feb 7, 2012, 6:41:55 AM2/7/12
to pylons-devel
Dear group,

I am working on an application that will be used in an environment
that uses a 3rd party product for authentication of all web
applications. Therefore I need to make my pyramid app accept the sign-
on credential from the Siteminder webagent. The webagent is a plug-in
for Apache that intercepts all interactions with the webserver. When a
user browser logs in on a separate page and submits a valid secure
Siteminder cookie (maintained by siteminder) the webagent will create
a customer http header that the user never sees but the webserver
does. The variable name is HTTP_SSE_USER. This header variable
contains the logon user ID of the user.

What is the smartest way of setting up my pyramid app so that the user
is acknowledged as logged in through siteminder? I guess I need to
check for the HTTP_SSE_USER variable somewhere. But where exactly
could this be done?

Thanks in advance,
Sascha

Michael Merickel

unread,
Feb 7, 2012, 10:53:28 AM2/7/12
to pylons...@googlegroups.com
This would be done in "unauthenticated_userid" of a custom authentication policy. You just need to follow the interface described here:

http://docs.pylonsproject.org/projects/pyramid/en/1.3-branch/narr/security.html#creating-your-own-authentication-policy

On a side note, your apache plugin should be using environ['REMOTE_USER']. Using a custom http header could be dangerous, although hopefully the plugin would remove the header before setting its own.


--
You received this message because you are subscribed to the Google Groups "pylons-devel" group.
To post to this group, send email to pylons...@googlegroups.com.
To unsubscribe from this group, send email to pylons-devel...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pylons-devel?hl=en.


Reply all
Reply to author
Forward
0 new messages