Reflexion around SPNEGO authentication and external IDP
30 views
Skip to first unread message
Julien Gribonvald
Jun 28, 2016, 6:55:38 AM6/28/16
to cas-...@apereo.org
Hi,
In ESUP consortium we are looking for a way to do some possible use case
on how to integrating the new French government central "identity
provider", that french's administrations services will be able to
integrate to authenticate all french peoples on their apps
(FranceConnect and it use openId connect protocol).
So we know it's possible to integrate it without too much difficulties,
we need only to use this service as authentication handler, but we have
some workflow to develop. Our problems aren't for web authentication but
on computer's auth (when using SPNEGO/kerberos...).
How can we do when the account's principals (login/password) are not
known "localy" ? in this case how to do ? or how to delegate the
computer authentication on a web only external service ?
Is their a way or is it possible to connect the user from a web access
when the user log in from a computer ?
Reflexions are also welcome for a such use case !
Thanks,
--
Julien Gribonvald
In ESUP consortium we are looking for a way to do some possible use case
on how to integrating the new French government central "identity
provider", that french's administrations services will be able to
integrate to authenticate all french peoples on their apps
(FranceConnect and it use openId connect protocol).
So we know it's possible to integrate it without too much difficulties,
we need only to use this service as authentication handler, but we have
some workflow to develop. Our problems aren't for web authentication but
on computer's auth (when using SPNEGO/kerberos...).
How can we do when the account's principals (login/password) are not
known "localy" ? in this case how to do ? or how to delegate the
computer authentication on a web only external service ?
Is their a way or is it possible to connect the user from a web access
when the user log in from a computer ?
Reflexions are also welcome for a such use case !
Thanks,
--
Julien Gribonvald
Misagh Moayyed
Jun 28, 2016, 5:55:44 PM6/28/16
to cas-...@apereo.org
I am not sure I am entirely clear on your use case. You want to implement
"computer auth" or domain-based AuthN via FrenchConnect's OIDC support?
To answer your other questions: Authentication can always be delegated to an
external provider, such as another CAS server, a SAML2 IDP, an OIDC/OpenID
provider, FB, Twitter, G+, etc. These are web-based. Not domain-based. There
is no straight forward way to do this. In a nutshell and as a first, you
need to know which OIDC profiles FrenchConnect supports. If they support
implicit or hybrid, we can talk more. Otherwise, this is probably not
possible without a whole lot of pain assuming I have understood your case
correctly.
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email
> to cas-user+u...@apereo.org.
> To post to this group, send email to cas-...@apereo.org.
> Visit this group at
> https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-
> user/577257A5.7010506%40recia.fr.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
"computer auth" or domain-based AuthN via FrenchConnect's OIDC support?
To answer your other questions: Authentication can always be delegated to an
external provider, such as another CAS server, a SAML2 IDP, an OIDC/OpenID
provider, FB, Twitter, G+, etc. These are web-based. Not domain-based. There
is no straight forward way to do this. In a nutshell and as a first, you
need to know which OIDC profiles FrenchConnect supports. If they support
implicit or hybrid, we can talk more. Otherwise, this is probably not
possible without a whole lot of pain assuming I have understood your case
correctly.
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> to cas-user+u...@apereo.org.
> To post to this group, send email to cas-...@apereo.org.
> Visit this group at
> https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-
> user/577257A5.7010506%40recia.fr.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Reply all
Reply to author
Forward
0 new messages