Web Images Videos Maps News Groups Gmail more »
Recently Visited Groups | Help | Sign in
Google Groups Home
ESOE Users
+ new post
Home
About this group
Join this group
Getting the big picture
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   4 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Phil Gates  
View profile  
 More options Sep 26 2008, 12:36 pm
From: Phil Gates <noemailspa...@gmail.com>
Date: Thu, 25 Sep 2008 19:36:52 -0700 (PDT)
Local: Fri, Sep 26 2008 12:36 pm
Subject: Getting the big picture
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
I'm currently looking into implementing SSO for a wide range of web
sites such as Blackboard, Google Apps, Outlook Web Access and a
growing number of in house Ruby on Rails sites. These sites are
accessed both internally and externally by staff/students with AD
accounts and parents/agents with login details stored in various
databases. We are wanting to pull all this together and present it
within the Blackboard portal system. ESOE looks like it may have the
feature set required to bring all this together.

I'm assuming that you require an appropriate SPEP instance for each
application server technology eg java, apache and IIS. Do you also
require separate instances for each different security scenario or is
this governed by the Service Authorization Policy for each service/
website?

I'm just trying to piece together the big picture of how the various
components work and flow together. (sorry about the format, may
require wide screen)

1 User's first access to a protected site
Browser         =>   Application Server              SPEP            ESOE            LDAP/DB
2 Application Server redirects to SPEP
Browser                 Application Server      =>   SPEP            ESOE            LDAP/DB
2a Uses integrated authentication if available
or 2b SPEP displays login screen
Browser         <=   Application Server      <=   SPEP            ESOE            LDAP/DB
3 SPEP validates with ESOE
Browser                 Application Server              SPEP    =>   ESOE            LDAP/DB
4 ESOE validates against the appropriate data source
Browser                 Application Server              SPEP            ESOE    <=>       LDAP/DB
5 ESOE returns session ticket to SPEP
Browser                 Application Server              SPEP    <=   ESOE            LDAP/DB
6 SPEP returns session ticket to Application Server
Browser                 Application Server      <=   SPEP            ESOE            LDAP/DB
7 Application Server begins user session based on details in session
ticket
8 Application returns session ticket to browser
Browser         <=   Application Server              SPEP            ESOE            LDAP/DB
9 Browser stores session ticket as cookie
Browser                 Application Server              SPEP            ESOE            LDAP/DB

1 User's subsequent access to a protected site with ticket
Browser         =>   Application Server              SPEP            ESOE            LDAP/DB
2 Application Server validates ticket with SPEP
Browser                 Application Server      =>   SPEP            ESOE            LDAP/DB
3 SPEP validates ticket with ESOE
Browser                 Application Server              SPEP    <=>       ESOE            LDAP/DB
4 SPEP returns validated to Application Server
Browser                 Application Server      <=   SPEP            ESOE            LDAP/DB
5 Application returns content to browser
Browser         <=   Application Server              SPEP            ESOE            LDAP/DB

1 User logs off one site
Browser         =>   Application Server              SPEP            ESOE            LDAP/DB
2 Application Server invalidates ticket with SPEP
Browser                 Application Server      =>   SPEP            ESOE            LDAP/DB
3 SPEP invalidates ticket with ESOE
Browser                 Application Server              SPEP    <=>       ESOE            LDAP/DB
4 SPEP returns in validated to Application Server
Browser                 Application Server      <=   SPEP            ESOE            LDAP/DB
5 Application server ends user session

1 User accesses another protected site with ticket
Browser         =>   Application Server              SPEP            ESOE            LDAP/DB
2 Application Server validates ticket with SPEP
Browser                 Application Server      =>   SPEP            ESOE            LDAP/DB
3 SPEP validates ticket with ESOE
Browser                 Application Server              SPEP    =>   ESOE            LDAP/DB
4 ESOE returns invalidated to SPEP
Browser                 Application Server              SPEP    =>   ESOE            LDAP/DB
5 SPEP returns invalidated to Application Server
Browser                 Application Server      <=   SPEP            ESOE            LDAP/DB
6 Application server ends user session
9 Application server instructs browser to destroy session ticket
Browser         <=   Application Server              SPEP            ESOE            LDAP/DB

Cheers,

Phillip


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Bradley Beddoes  
View profile  
 More options Sep 26 2008, 2:09 pm
From: Bradley Beddoes <bedd...@intient.com>
Date: Fri, 26 Sep 2008 14:09:44 +1000
Local: Fri, Sep 26 2008 2:09 pm
Subject: Re: [esoe-users] Getting the big picture
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

Hi Phil,
Sounds like a large interesting project.

There is essentially a 1:1 mapping between SPEP and application (though
you can configure a single SPEP to reside over multiple WAR files in a
tomcat instance for example). Each SPEP instance can then have multiple
policy files to enforce access constraints as required.

Your flows are almost correct. However SPEP does no local
authentication, nor does it pass on a ticket to the application, it
physically sits in the request path and does validation on your behalf.

Also a user authenticates to the core ESOE system once per browser
session, via integrated authentication, user/pass, token or whatever you
choose. The first visit to any SPEP instance invokes a SAML exchange
between the SPEP instance and core ESOE deployment. This creates a new
session for the SPEP and does identity attribute transfer.

Logoff also is global, we call this Single Logout. You log out of one
application and your logged out of them all.

Does that assist ?

regards,
Bradley

--
Bradley Beddoes
Lead Software Architect
Intient Pty Ltd

http://www.intient.com

  beddoes.vcf
< 1K Download

    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Phil Gates  
View profile  
 More options Nov 3 2008, 11:16 am
From: Phil Gates <noemailspa...@gmail.com>
Date: Sun, 2 Nov 2008 16:16:23 -0800 (PST)
Local: Mon, Nov 3 2008 11:16 am
Subject: Re: Getting the big picture
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
I have installed ESOE on a test server but I am having issues getting
into the service manager. It is authenticating correctly using either
LDAP or SPNEGO, but isn't redirecting and doesn't appear to be
creating any cookies. The only error messages I can see in the logs
are:

2008-10-30 10:55:14,782 DEBUG
com.qut.middleware.spep.filter.Initializer - Got SPEP object. Class
is: com.qut.middleware.spep.impl.SPEPProxyImpl. Creating proxy.
2008-10-30 10:55:14,784 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Calling com.qut.middleware.spep.SPEPProxy method isStarted(0 args).
Target type is com.qut.middleware.spep.impl.SPEPProxyImpl
2008-10-30 10:55:14,784 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Returned type is java.lang.Boolean. Trying to auto-proxy
2008-10-30 10:55:14,784 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Resolved class to local class name: java.lang.Boolean. Class loader:
couldn't get classloader name
2008-10-30 10:55:14,785 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Calling com.qut.middleware.spep.SPEPProxy method isLazyInit(0 args).
Target type is com.qut.middleware.spep.impl.SPEPProxyImpl
2008-10-30 10:55:14,785 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Returned type is java.lang.Boolean. Trying to auto-proxy
2008-10-30 10:55:14,785 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Resolved class to local class name: java.lang.Boolean. Class loader:
couldn't get classloader name
2008-10-30 10:55:14,785 DEBUG
com.qut.middleware.spep.filter.SPEPFilter - Failed all avenues to
provide access to content
2008-10-30 10:55:14,786 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Calling com.qut.middleware.spep.SPEPProxy method getServiceHost(0
args). Target type is com.qut.middleware.spep.impl.SPEPProxyImpl
2008-10-30 10:55:14,786 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Returned type is java.lang.String. Trying to auto-proxy
2008-10-30 10:55:14,786 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Resolved class to local class name: java.lang.String. Class loader:
couldn't get classloader name
2008-10-30 10:55:14,786 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Calling com.qut.middleware.spep.SPEPProxy method getServiceHost(0
args). Target type is com.qut.middleware.spep.impl.SPEPProxyImpl
2008-10-30 10:55:14,786 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Returned type is java.lang.String. Trying to auto-proxy
2008-10-30 10:55:14,786 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Resolved class to local class name: java.lang.String. Class loader:
couldn't get classloader name
2008-10-30 10:55:14,786 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Calling com.qut.middleware.spep.SPEPProxy method getServiceHost(0
args). Target type is com.qut.middleware.spep.impl.SPEPProxyImpl
2008-10-30 10:55:14,786 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Returned type is java.lang.String. Trying to auto-proxy
2008-10-30 10:55:14,786 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Resolved class to local class name: java.lang.String. Class loader:
couldn't get classloader name
2008-10-30 10:55:14,787 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Calling com.qut.middleware.spep.SPEPProxy method getSsoRedirect(0
args). Target type is com.qut.middleware.spep.impl.SPEPProxyImpl
2008-10-30 10:55:14,787 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Returned type is java.lang.String. Trying to auto-proxy
2008-10-30 10:55:14,787 DEBUG
com.qut.middleware.spep.filter.proxy.GenericObjectInvocationHandler -
Resolved class to local class name: java.lang.String. Class loader:
couldn't get classloader name
2008-10-30 10:55:14,787 DEBUG
com.qut.middleware.spep.filter.SPEPFilter - Redirecting to
http://esoe.<site>.<domain>.com/spep/sso?redirectURL=aHR0cDovL2Vzb2Uuc3RyYXRoLmFjZ2Vkd S5jb20vZXNvZW1hbmFnZXIvbWFuYWdlci9pbmRleC5odG0=
to establish secure session

Everything else seems to be running fine.

Settings from esoe.config are

# Domain in which esoe cookie should be available - should NEVER be
set institution wide
sessionDomain=esoe.<site>.<domain>.com

# Domain in which discovery cookie should be available - MUST be set
institution wide
commonDomain=<domain>.com

Can you provide any hints as to how to get this going?

Cheers,

Phillip


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Bradley Beddoes  
View profile  
 More options Nov 3 2008, 11:58 am
From: Bradley Beddoes <bedd...@intient.com>
Date: Mon, 03 Nov 2008 10:58:43 +1000
Local: Mon, Nov 3 2008 11:58 am
Subject: Re: [esoe-users] Re: Getting the big picture
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Hi Phil,

Does your browser redirect to:
http://esoe.<site>.<domain>.com/spep/sso?redirectURL=aHR0cDovL2Vzb2Uuc3RyYXRoLmFjZ2Vkd S5jb20vZXNvZW1hbmFnZXIvbWFuYWdlci9pbmRleC5odG0=

If so where does the browser end up before it stops? (I assume your
describing a scenario where the browser loop is stalling at some location).

What version of the software are you running?.

regards,
Bradley


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google