[ProjectSCZ-FIAM] PAM WEB SSO: SSH to resource > get presented a link > click it > browser opened > sign in at institution > signed in on SSH resource

Wed Jul 4 16:51:10 CEST 2018

Hi Martin,

Thanks for the clarifications. I think I could live with pressing an extra “enter” generally.

How would the “enter” work in (sftp) gui situations?

Gr,

Mark

> On 4 Jul 2018, at 12:05, Martin van Es <martin at surfnet.nl> wrote:
> 
> Hi,
> 
> PAM WebSSO is bound to both PAM and OpenSSH restrictions. I configured WebSSO 
> to be 'sufficient' authentication method. 
> 
> Reading your question I just made some minor changes to speed up fall-through 
> if the user does not want to login using WebSSO, but it has a catch:
> 
> 1. I can't differentiate between users wanting to authenticate using SAML or 
> publicKey/password based on username. So once enabled everybody sees the URL 
> challenge prompt.
> 
> 2. I can't disable having to press <enter> to continue, but this is good news! 
> I now changed to code to fall-through to next SSH auth method (pubkey/pass) if 
> <enter> is hit before SAML auth has taken place. But even then the user still 
> has to press <enter> after SAML login to continue.
> 
> So the message I can display is confusing to say the least.
> 
> It was:
> 
> Visit https://pam.scz-vm.net/login/CprpGTLn to login
> and press <enter> to continue
> 
> Before now, it didn't matter when the user pressed enter. Now it does, so I 
> changed it to:
> 
> Visit https://pam.scz-vm.net/login/CprpGTLn to login
> or press <enter> to continue
> 
> Which invites the user to press <enter> to continue logging in using different 
> auth method. But, the user still needs to press <enter> after succesful SAML 
> login. There is no way I can nudge SSH to go on when SAML auth succeeded.
> 
> Does this make sense?
> 
> Best regards,
> Martin
> 
> On Wednesday, July 4, 2018 10:21:44 AM CEST M.A.Santcroos at lumc.nl wrote:
>> Hi Raoul, et al,
>> 
>> Neat! Gerben had already mentioned it, good to see it in practice :-)
>> 
>> I definitely see value in this as a low barrier entry!
>> Can it be combined with “regular” ssh keys through ldap though? For more
>> regular and/or advanced usage I can imagine it can become a burden.
> 
>> Thanks
>> 
>> Gr,
>> 
>> Mark
>> 
>> 
>> 
>>> On 3 Jul 2018, at 13:38, Raoul Teeuwen <raoul.teeuwen at surfnet.nl> wrote:
>>> 
>>> Hi all.
>>> 
>>> 
>>> 
>>> Just want to share a short video of a brand new feature I think is super
>>> cool and useful (let me know if you think otherwise) on how the SCZ
>>> supports federative authentication on SSH:
>>> https://wiki.surfnet.nl/display/SCZ/PAM+Module?preview=/79298721/82214961
>>> /pam-websso.mp4 . More of how this works is documented at
>>> https://wiki.surfnet.nl/display/SCZ/PAM+Module .
>> 
>>> 
>>> 
>>> Btw, if you haven’t heard or read about a new feature of SCZ 0.5 we’re
>>> currently running: LSC (ldap synchronization connector). From the project
>>> page: “The main goal is to provide a simple and efficient way of
>>> synchronizing any data source to a LDAP directory quickly”. It gives us
>>> lots of options and flexibility to sync the SCZ LDAP with local LDAPs.
>>> Check out https://lsc-project.org/doku.php for more on LSC.
>> 
>>> 
>>> 
>>> Kindest regards,
>>> 
>>> Raoul Teeuwen
>>> 
>>> 
>>> 
>>> SURFnet | Productmanager Trust & Identity | Kantoren Hoog Overborch (Hoog
>>> Catharijne) | Moreelsepark 48 - 3511 EP Utrecht | tel:0887873496 |
>>> tel:+31641195989 | raoul.teeuwen at surfnet.nl | www.surfnet.nl |
>>> www.surf.nl/route
>> 
>>> 
>>> 
>>> _______________________________________________
>>> ProjectSCZ-FIAM mailing list
>>> ProjectSCZ-FIAM at list.surfnet.nl
>>> https://list.surfnet.nl/mailman/listinfo/projectscz-fiam
>> 
>> 
>> _______________________________________________
>> ProjectSCZ-FIAM mailing list
>> ProjectSCZ-FIAM at list.surfnet.nl
>> https://list.surfnet.nl/mailman/listinfo/projectscz-fiam
> 
> 
> 