[ProjectSCZ-FIAM] PAM WEB SSO: SSH to resource > get presented a link > click it > browser opened > sign in at institution > signed in on SSH resource
M.A.Santcroos at lumc.nl
M.A.Santcroos at lumc.nl
Wed Jul 4 16:51:10 CEST 2018
Hi Martin,
Thanks for the clarifications. I think I could live with pressing an extra “enter” generally.
How would the “enter” work in (sftp) gui situations?
Gr,
Mark
> On 4 Jul 2018, at 12:05, Martin van Es <martin at surfnet.nl> wrote:
>
> Hi,
>
> PAM WebSSO is bound to both PAM and OpenSSH restrictions. I configured WebSSO
> to be 'sufficient' authentication method.
>
> Reading your question I just made some minor changes to speed up fall-through
> if the user does not want to login using WebSSO, but it has a catch:
>
> 1. I can't differentiate between users wanting to authenticate using SAML or
> publicKey/password based on username. So once enabled everybody sees the URL
> challenge prompt.
>
> 2. I can't disable having to press <enter> to continue, but this is good news!
> I now changed to code to fall-through to next SSH auth method (pubkey/pass) if
> <enter> is hit before SAML auth has taken place. But even then the user still
> has to press <enter> after SAML login to continue.
>
> So the message I can display is confusing to say the least.
>
> It was:
>
> Visit https://pam.scz-vm.net/login/CprpGTLn to login
> and press <enter> to continue
>
> Before now, it didn't matter when the user pressed enter. Now it does, so I
> changed it to:
>
> Visit https://pam.scz-vm.net/login/CprpGTLn to login
> or press <enter> to continue
>
> Which invites the user to press <enter> to continue logging in using different
> auth method. But, the user still needs to press <enter> after succesful SAML
> login. There is no way I can nudge SSH to go on when SAML auth succeeded.
>
> Does this make sense?
>
> Best regards,
> Martin
>
> On Wednesday, July 4, 2018 10:21:44 AM CEST M.A.Santcroos at lumc.nl wrote:
>> Hi Raoul, et al,
>>
>> Neat! Gerben had already mentioned it, good to see it in practice :-)
>>
>> I definitely see value in this as a low barrier entry!
>> Can it be combined with “regular” ssh keys through ldap though? For more
>> regular and/or advanced usage I can imagine it can become a burden.
>
>> Thanks
>>
>> Gr,
>>
>> Mark
>>
>>
>>
>>> On 3 Jul 2018, at 13:38, Raoul Teeuwen <raoul.teeuwen at surfnet.nl> wrote:
>>>
>>> Hi all.
>>>
>>>
>>>
>>> Just want to share a short video of a brand new feature I think is super
>>> cool and useful (let me know if you think otherwise) on how the SCZ
>>> supports federative authentication on SSH:
>>> https://wiki.surfnet.nl/display/SCZ/PAM+Module?preview=/79298721/82214961
>>> /pam-websso.mp4 . More of how this works is documented at
>>> https://wiki.surfnet.nl/display/SCZ/PAM+Module .
>>
>>>
>>>
>>> Btw, if you haven’t heard or read about a new feature of SCZ 0.5 we’re
>>> currently running: LSC (ldap synchronization connector). From the project
>>> page: “The main goal is to provide a simple and efficient way of
>>> synchronizing any data source to a LDAP directory quickly”. It gives us
>>> lots of options and flexibility to sync the SCZ LDAP with local LDAPs.
>>> Check out https://lsc-project.org/doku.php for more on LSC.
>>
>>>
>>>
>>> Kindest regards,
>>>
>>> Raoul Teeuwen
>>>
>>>
>>>
>>> SURFnet | Productmanager Trust & Identity | Kantoren Hoog Overborch (Hoog
>>> Catharijne) | Moreelsepark 48 - 3511 EP Utrecht | tel:0887873496 |
>>> tel:+31641195989 | raoul.teeuwen at surfnet.nl | www.surfnet.nl |
>>> www.surf.nl/route
>>
>>>
>>>
>>> _______________________________________________
>>> ProjectSCZ-FIAM mailing list
>>> ProjectSCZ-FIAM at list.surfnet.nl
>>> https://list.surfnet.nl/mailman/listinfo/projectscz-fiam
>>
>>
>> _______________________________________________
>> ProjectSCZ-FIAM mailing list
>> ProjectSCZ-FIAM at list.surfnet.nl
>> https://list.surfnet.nl/mailman/listinfo/projectscz-fiam
>
>
>
More information about the ProjectSCZ-FIAM
mailing list