[ProjectSCZ-FIAM] PAM WEB SSO: SSH to resource > get presented a link > click it > browser opened > sign in at institution > signed in on SSH resource
Martin van Es
martin at surfnet.nl
Wed Jul 4 12:05:19 CEST 2018
Hi,
PAM WebSSO is bound to both PAM and OpenSSH restrictions. I configured WebSSO
to be 'sufficient' authentication method.
Reading your question I just made some minor changes to speed up fall-through
if the user does not want to login using WebSSO, but it has a catch:
1. I can't differentiate between users wanting to authenticate using SAML or
publicKey/password based on username. So once enabled everybody sees the URL
challenge prompt.
2. I can't disable having to press <enter> to continue, but this is good news!
I now changed to code to fall-through to next SSH auth method (pubkey/pass) if
<enter> is hit before SAML auth has taken place. But even then the user still
has to press <enter> after SAML login to continue.
So the message I can display is confusing to say the least.
It was:
Visit https://pam.scz-vm.net/login/CprpGTLn to login
and press <enter> to continue
Before now, it didn't matter when the user pressed enter. Now it does, so I
changed it to:
Visit https://pam.scz-vm.net/login/CprpGTLn to login
or press <enter> to continue
Which invites the user to press <enter> to continue logging in using different
auth method. But, the user still needs to press <enter> after succesful SAML
login. There is no way I can nudge SSH to go on when SAML auth succeeded.
Does this make sense?
Best regards,
Martin
On Wednesday, July 4, 2018 10:21:44 AM CEST M.A.Santcroos at lumc.nl wrote:
> Hi Raoul, et al,
>
> Neat! Gerben had already mentioned it, good to see it in practice :-)
>
> I definitely see value in this as a low barrier entry!
> Can it be combined with “regular” ssh keys through ldap though? For more
> regular and/or advanced usage I can imagine it can become a burden.
> Thanks
>
> Gr,
>
> Mark
>
>
>
> > On 3 Jul 2018, at 13:38, Raoul Teeuwen <raoul.teeuwen at surfnet.nl> wrote:
> >
> > Hi all.
> >
> >
> >
> > Just want to share a short video of a brand new feature I think is super
> > cool and useful (let me know if you think otherwise) on how the SCZ
> > supports federative authentication on SSH:
> > https://wiki.surfnet.nl/display/SCZ/PAM+Module?preview=/79298721/82214961
> > /pam-websso.mp4 . More of how this works is documented at
> > https://wiki.surfnet.nl/display/SCZ/PAM+Module .
>
> >
> >
> > Btw, if you haven’t heard or read about a new feature of SCZ 0.5 we’re
> > currently running: LSC (ldap synchronization connector). From the project
> > page: “The main goal is to provide a simple and efficient way of
> > synchronizing any data source to a LDAP directory quickly”. It gives us
> > lots of options and flexibility to sync the SCZ LDAP with local LDAPs.
> > Check out https://lsc-project.org/doku.php for more on LSC.
>
> >
> >
> > Kindest regards,
> >
> > Raoul Teeuwen
> >
> >
> >
> > SURFnet | Productmanager Trust & Identity | Kantoren Hoog Overborch (Hoog
> > Catharijne) | Moreelsepark 48 - 3511 EP Utrecht | tel:0887873496 |
> > tel:+31641195989 | raoul.teeuwen at surfnet.nl | www.surfnet.nl |
> > www.surf.nl/route
>
> >
> >
> > _______________________________________________
> > ProjectSCZ-FIAM mailing list
> > ProjectSCZ-FIAM at list.surfnet.nl
> > https://list.surfnet.nl/mailman/listinfo/projectscz-fiam
>
>
> _______________________________________________
> ProjectSCZ-FIAM mailing list
> ProjectSCZ-FIAM at list.surfnet.nl
> https://list.surfnet.nl/mailman/listinfo/projectscz-fiam
More information about the ProjectSCZ-FIAM
mailing list