# Authentication via Proxy

*By: Yusuf Bhabhrawala, Project Manager, <span class="caps">UCLA</span> Center for Digital Humanities (<span class="caps">CDH</span>)*

# Introduction

This article describes a proposal for building a standardized authentication proxy. This proposal was written before Shibboleth 2.0 (which address many of the limitations from the previous versions). Hence the examples of <span class="caps">CDH</span> and Shibboleth should be taken just as that, ie. example. This type of proxy could be implemented fairly quickly by any organization and for any other authentication system as well.

# Overview

The model proposed here is very widely used for providing authentication as a service. The model can be summarized using the following diagram:  
![](http://www.cdh.ucla.edu/sites/staff/yusufnb/shibproxy.png)

1. The user login request is redirected to <span class="caps">CDH</span> Auth Proxy along with callback <span class="caps">URL</span>.
2. Since <span class="caps">CDH</span> Auth Proxy sits behind Shibboleth, the user is redirected to <span class="caps">UCLA</span> Logon page where they can authenticate themselves.
3. The <span class="caps">UCLA</span> Shibboleth <span class="caps">IDP</span> redirects the user to <span class="caps">CDH</span> Auth Proxy.
4. <span class="caps">CDH</span> Auth Proxy post’s a public token to the callback <span class="caps">URL</span>.
5. The application uses the public token to generate a private token and requests user information from <span class="caps">CDH</span> Auth Proxy using it.
6. <span class="caps">CDH</span> Auth Proxy responds with the user information.

The above approach provides a simple authentication model that can be used to implement authentication fairly quickly, develop drag and drop authentication solutions and develop wordpress, joomla, drupal, plone etc. plugins very easily. These can then be used by <span class="caps">UCLA</span> Humanities division faculty, students and staff without getting into the details of shibboleth SP implementation.

# Technical Details

## Shared Secret

The basis of this authentication model is a secret (character string/password) shared between <span class="caps">CDH</span> and the application requiring authentication. This shared secret is used for generation of time stamped tokens and token validations. It also ensures that shibboleth cannot be used without some kind of prior approval or record.  
Shared secret is specific to a <span class="caps">URL</span>. It thus ties the application with its unique shared secret ensuring that tokens are not misused across applications.

## Shibboleth Data

<span class="caps">CDH</span> will collect and pass only the following information regarding the user:

- First Name
- Last Name
- Email ID
- <span class="caps">UID</span>
- Department Code

This information is already available via <span class="caps">UCLA</span> directory and accessible by all.

## Public Token

The public token is a message digest generated using the following information:

- Email ID
- Shared Secret
- Time stamp (up to seconds)

This ensures that the token is unique to the user, to the requesting application and cannot be re-used.

## Private (use once) Token

The private token ensures that the user information is securely transferred from server to server and cannot be re-used.  
The private token is a message digest generated by the requesting application using the following information:

- Public Token
- Shared Secret

Each user session is maintained at <span class="caps">CDH</span> Auth Proxy for 30 seconds, during which it can be retrieved by the requesting application by providing the corresponding private token, which of course, is unique to the user.

<span class="caps">CDH</span> will respond with the user information in a <span class="caps">JSON</span> format as key-value pairs, one of which will always be ‘status’. Thus the status determines if the user information was successfully received.