Message from discussion
Getting the big picture
MIME-Version: 1.0
Received: by 10.150.49.2 with SMTP id w2mr22152ybw.21.1222396612930; Thu, 25
Sep 2008 19:36:52 -0700 (PDT)
Date: Thu, 25 Sep 2008 19:36:52 -0700 (PDT)
X-IP: 203.152.113.47
User-Agent: G2/1.0
X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.30 Safari/525.13,gzip(gfe),gzip(gfe)
Message-ID: <da1ec9d3-4e82-4305-ae1a-8bfe7ec64e08@p10g2000prf.googlegroups.com>
Subject: Getting the big picture
From: Phil Gates <noemailspa...@gmail.com>
To: ESOE Users <esoe-users@googlegroups.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
I'm currently looking into implementing SSO for a wide range of web
sites such as Blackboard, Google Apps, Outlook Web Access and a
growing number of in house Ruby on Rails sites. These sites are
accessed both internally and externally by staff/students with AD
accounts and parents/agents with login details stored in various
databases. We are wanting to pull all this together and present it
within the Blackboard portal system. ESOE looks like it may have the
feature set required to bring all this together.
I'm assuming that you require an appropriate SPEP instance for each
application server technology eg java, apache and IIS. Do you also
require separate instances for each different security scenario or is
this governed by the Service Authorization Policy for each service/
website?
I'm just trying to piece together the big picture of how the various
components work and flow together. (sorry about the format, may
require wide screen)
1 User's first access to a protected site
Browser => Application Server SPEP ESOE LDAP/DB
2 Application Server redirects to SPEP
Browser Application Server => SPEP ESOE LDAP/DB
2a Uses integrated authentication if available
or 2b SPEP displays login screen
Browser <= Application Server <= SPEP ESOE LDAP/DB
3 SPEP validates with ESOE
Browser Application Server SPEP => ESOE LDAP/DB
4 ESOE validates against the appropriate data source
Browser Application Server SPEP ESOE <=> LDAP/DB
5 ESOE returns session ticket to SPEP
Browser Application Server SPEP <= ESOE LDAP/DB
6 SPEP returns session ticket to Application Server
Browser Application Server <= SPEP ESOE LDAP/DB
7 Application Server begins user session based on details in session
ticket
8 Application returns session ticket to browser
Browser <= Application Server SPEP ESOE LDAP/DB
9 Browser stores session ticket as cookie
Browser Application Server SPEP ESOE LDAP/DB
1 User's subsequent access to a protected site with ticket
Browser => Application Server SPEP ESOE LDAP/DB
2 Application Server validates ticket with SPEP
Browser Application Server => SPEP ESOE LDAP/DB
3 SPEP validates ticket with ESOE
Browser Application Server SPEP <=> ESOE LDAP/DB
4 SPEP returns validated to Application Server
Browser Application Server <= SPEP ESOE LDAP/DB
5 Application returns content to browser
Browser <= Application Server SPEP ESOE LDAP/DB
1 User logs off one site
Browser => Application Server SPEP ESOE LDAP/DB
2 Application Server invalidates ticket with SPEP
Browser Application Server => SPEP ESOE LDAP/DB
3 SPEP invalidates ticket with ESOE
Browser Application Server SPEP <=> ESOE LDAP/DB
4 SPEP returns in validated to Application Server
Browser Application Server <= SPEP ESOE LDAP/DB
5 Application server ends user session
1 User accesses another protected site with ticket
Browser => Application Server SPEP ESOE LDAP/DB
2 Application Server validates ticket with SPEP
Browser Application Server => SPEP ESOE LDAP/DB
3 SPEP validates ticket with ESOE
Browser Application Server SPEP => ESOE LDAP/DB
4 ESOE returns invalidated to SPEP
Browser Application Server SPEP => ESOE LDAP/DB
5 SPEP returns invalidated to Application Server
Browser Application Server <= SPEP ESOE LDAP/DB
6 Application server ends user session
9 Application server instructs browser to destroy session ticket
Browser <= Application Server SPEP ESOE LDAP/DB
Cheers,
|
