Using ssoproxy.py from the GSA Admin Toolkit

0 views
Skip to first unread message

Matt Snyder

unread,
Nov 4, 2009, 3:22:38 PM11/4/09
to Google Search Appliance/Google Mini - Google Search Appliance/Google Mini
This is not a question yet, I'm just writing to give my experience
using ssoproxy.py to try to get the GSA to crawl content in an
environment with the CAS SSO. CAS is an open source SSO, so it should
be possible to crack this eventually, but I have not looked at the
code yet.

The main unique feature of CAS is that there is a URL parameter,
called ticket, which is involved in every authentication transaction,
and the ticket is temporary, it changes with every transaction. CAS
is designed to work, albeit poorly, in an environment with cookies
disabled, so the contribution of cookies is optional. Without
cookies, the user has to log in repeatedly, so it's not very useful,
but it does work, by virtue of this URL parameter. But the URL
parameter interferes with the GSA's forms authentication wizard.

My first attempt to use ssoproxy didn't work, but I'll keep trying.
From LiveHTTPHeaders, here is what the login post looks like:

POST /cas-server-webapp-3.3.3/login?service=http%3A%2F%2Fstsd-
vm11.sharepointlab.net%3A8080%2Fc%2Fportal%2Flogin HTTP/1.1
Host: stsd-vm04.sharepointlab.net:8080
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:
1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Accept: text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://stsd-vm04.sharepointlab.net:8080/cas-server-webapp-3.3.3/login?service=http%3A%2F%2Fstsd-vm11.sharepointlab.net%3A8080%2Fc%2Fportal%2Flogin
Cookie: JSESSIONID=12D2FDCB3B544B22B0B2621BEAE5FFA8
Content-Type: application/x-www-form-urlencoded
Content-Length: 136
username=matt&password=matt&lt=_cF88D06D7-53DB-0298-8B29-82CE9F65F96F_kEAE68988-
F26E-AB98-E50D-860723175DCE&_eventId=submit&submit=LOGIN
HTTP/1.x 302 Moved Temporarily
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Set-Cookie: CASPRIVACY=; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
cas-server-webapp-3.3.3
Set-Cookie: CASTGC=TGT-9-
P5Ld17K9LLvjTa2pxetO66T5QI4ZaQyEOXZ2nzLY3nmXNbey6c-cas; Path=/cas-
server-webapp-3.3.3; Secure
Location: http://stsd-vm11.sharepointlab.net:8080/c/portal/login?ticket=ST-9-Qyd9OqxeqADIm0DjjX4a-cas
Content-Language: en-US
Content-Length: 0
Date: Wed, 04 Nov 2009 19:24:31 GMT

There are two cookies returned, CASPRIVACY and CASTGC.

Note that the POST includes a parameter lt, with a long string of
characters, and this is embedded in the login form as a hidden input
field, and apparently it changes with every transaction. If it's
important, and I'm sure it is, then I have to modify ssoproxy.py to
GET the login for, and grab that parameter out, to send back. In the
meantime, I can manually copy/pasted it into ssoproxy.py for a one-
time test.

Also, notice the ticket parameter in the redirect url, CAS adds that,
so I'll have to get ssoproxy to copy it.

ssoproxy.py sends this post data

username=matt&lt=_cBE4B69E2-9322-210A-134A-9971E9750009_kE4821F20-4E4A-
D866-64C3-E056F798DD50&password=matt&submit=LOGIN&_eventId=submit

but it redirects back to the login page, and does not return cookies.
So something is missing.

Reply all
Reply to author
Forward
0 new messages