Authentication via Proxy

By: Yusuf Bhabhrawala, Project Manager, UCLA Center for Digital Humanities (CDH)

Introduction

This article describes a proposal for building a standardized authentication proxy. This proposal was written before Shibboleth 2.0 (which address many of the limitations from the previous versions). Hence the examples of CDH and Shibboleth should be taken just as that, ie. example. This type of proxy could be implemented fairly quickly by any organization and for any other authentication system as well.

Overview

The model proposed here is very widely used for providing authentication as a service. The model can be summarized using the following diagram:

The user login request is redirected to CDH Auth Proxy along with callback URL.
Since CDH Auth Proxy sits behind Shibboleth, the user is redirected to UCLA Logon page where they can authenticate themselves.
The UCLA Shibboleth IDP redirects the user to CDH Auth Proxy.
CDH Auth Proxy post’s a public token to the callback URL.
The application uses the public token to generate a private token and requests user information from CDH Auth Proxy using it.
CDH Auth Proxy responds with the user information.

The above approach provides a simple authentication model that can be used to implement authentication fairly quickly, develop drag and drop authentication solutions and develop wordpress, joomla, drupal, plone etc. plugins very easily. These can then be used by UCLA Humanities division faculty, students and staff without getting into the details of shibboleth SP implementation.

Technical Details

Shared Secret

The basis of this authentication model is a secret (character string/password) shared between CDH and the application requiring authentication. This shared secret is used for generation of time stamped tokens and token validations. It also ensures that shibboleth cannot be used without some kind of prior approval or record.
Shared secret is specific to a URL. It thus ties the application with its unique shared secret ensuring that tokens are not misused across applications.

Shibboleth Data

CDH will collect and pass only the following information regarding the user:

First Name
Last Name
Email ID
UID
Department Code

This information is already available via UCLA directory and accessible by all.

Public Token

The public token is a message digest generated using the following information:

Email ID
Shared Secret
Time stamp (up to seconds)

This ensures that the token is unique to the user, to the requesting application and cannot be re-used.

Private (use once) Token

The private token ensures that the user information is securely transferred from server to server and cannot be re-used.
The private token is a message digest generated by the requesting application using the following information:

Public Token
Shared Secret

Each user session is maintained at CDH Auth Proxy for 30 seconds, during which it can be retrieved by the requesting application by providing the corresponding private token, which of course, is unique to the user.

CDH will respond with the user information in a JSON format as key-value pairs, one of which will always be ‘status’. Thus the status determines if the user information was successfully received.

How do I update root certificates in Apache/PHP/cURL environment

What are the differences between addslashes(), mysql_escape_string() and mysql_real_escape_string()

PHP and ODBC

Speed of unpack() in PHP

Configuring PEAR on Windows

How do I use cURL in PHP on Windows?

Passing command-line arguments into PHP

Using SSL socket in PHP under Windows

PHP Resources

PHP error reporting

PHPXref vs PHPDocumentor

Create a PHP unit test case using SimpleTest

PHP Commenting Style

phpMyAdmin Security

PHP

How can I make phpMyAdmin avoid sending MySQL passwords in the clear?

PHP ODBC Setup Guide

Performance of array_shift and array_pop in PHP

Javascript

Numeric Validation JavaScript

The advantages of Javascript

jQuery Tutorial

Which Javascript framework should I use?

jQuery and JavaScript Coding: Examples and Best Practices

Java

XML and Java

Converting Java content into AJAX (Javascript and XML)

Create a Java class that is only comparable to itself

Removing old Java versions

Java Server Faces

MySQL Resources

PostgreSQL Resources

Why doesn't mysqlshow work for databases or tables with underscores in their names?

What is mysqlshow good for?

How can I search/replace strings in MySQL?

Microsoft Access, OpenOffice and MySQL

SQL joins

Get rid of default annoyances in MySQL Workbench

Who uses PostgreSQL at UCLA?

Why NoSQL Matters

Subversion

Revision Control

Revision Control Systems Compared

Installing Subversion on Windows

GIT info

What are some document management services/document version control applications out there?

svn: Working copy '<filename>' is missing or not locked

Learning about CSS

What sort of menus can I make with CSS?

Top Ten Web Design Mistakes of 2005

The importance of "!important" in CSS

CSS Design Concerns for IE6, IE7, and Firefox

Forcing a page break with CSS

What's a solid starting point (global reset) for a CSS file?

UX Team ( UCLA Library - Digital Initiatives & Information Technology )

Hi, are there any UCLA style resources or style guides for websites?

UX Resources

What to do when CSS stylesheets refuse to apply

Web Accessibility Resources

Sass versus LESS

Introduction to XML in Flash - Making Flash Dynamic

XML Resources

XML

Why is it important to use short names in Plone?

Plone CMS Resources

Plone 4 Tips and Tricks: Table of Contents

How do I identify the stylesheets in Plone?

How to get rid of icons in Plone

Importing and exporting a Plone site

Installing Plone v3.2 on Mac OS X 10.5

Remove highlighting of search terms in Plone

Is there a permission that allows a user edit content that s/he does not own in Plone?

Why can't I add a photo using AT Photo in Plone?

Shibboleth For Plone

How do I get started with designing new/existing layouts in Plone?

Backing up and packing Plone's database file (Data.fs)

Zope/Plone usage statistics

Should I use plonecustom.css when changing the layout for my Plone site

Changing number of displayed news/events in Plone portlets

Search across multiple Plone instances