[JDEV] Single Sign on and stuff
mhearn at mailandnews.com
Wed Oct 3 16:10:55 CDT 2001
Well, as there is still debate surrounding the JIG I think I'll just get on
with things here. At the end of the day, JIGs/JEPs are good but at the
moment they are slowing this down. So - first issue: how would it work.
Here is a doc I wrote a while ago, it details my current thinking on this.
Distributed Jabber Authentication
by Mike Hearn (mhearn at neuk.net) Jabber: tweedledee at jabber.org
This document will assume knowledge of what network authentication is,
and how Microsoft Passport operates.
Jabber network authentication as outlined in this prelimary document
will allow for the following things:
* Authentication to arbitrary third party websites, without prior
knowledge of that site.
* Authentication to arbitrary services and servers, ie FTP servers,
where both server and client are jabber aware
* Authentication to services and servers for which the client is not
This involves using a special authentication website to allow web
browsers to act as an authentication front end. It works like this:
1. User visits site A (mycompany.com) and wishes to login. They see
one edit control, and a login button. They enter their network
address into the edit, and click login/submit
2. Site A sends either a Jabber IQ or a SOAP message to the users
server, that specifies the auth type (web), and a return URL.
3. Site B responds with a URL to the authentication website for that
server. Each Jabber server has one, we'll assume it's
*http://authenticate.jabber.org* here. The URL points to a CGI
script that Site A will redirect to, for instance:
4. At this address, the user is presented with a form which asks them
to present credentials (probably a password, but could be anything
- a certificate, iris scan, fingerprint data etc.) probably over a
5. The user presents their credentials and submits. The
authentication CGI logs into the users account to verify their
identity, and if clear redirects the user to the URL specified in
the original authencation request. At the same time, cookies are
set on the authenicate.jabber.org domain, so if another site
redirects to that site in future after Step 1, the login process
6. Once returned to the original site A properly authenticated, Site
A can set a cookie containing the username, so from now on when
visiting that site you are automatically logged in.
We will use the example of a jabber aware FTP server and client for this
1. User connects to jabber-aware FTP server using jabber aware client
2. User gives client username and credentials (password, certificate,
3. User sends username to FTP server.
4. FTP server sends message to jabber server via either an IQ or SOAP
asking for "service" authentication
5. Server responds with a token (random number), which the FTP server
then sends to the client
6. FTP client hashes credentials with random number and sends to ftp
server, which forwards this hash to the jabberd
7. Jabber server checks hashed credentials, and if clear sends
message back to FTP server announcing this fact, or otherwise
information about what went wrong.
8. User is now authenticated.
_Arbitrary services when client is not Jabber aware_
Often, a service may be Jabber aware, but the client is not. In this
case, the client will prompt the user for a username and password for
its own authentication system, but the user may wish to use Jabber
authentication as supported by the server. In this case, Instant
Messaging (IM) Authentication can be used.
1. User connects to jabber-aware FTP server with legacy client
2. Client prompts user for username and password
3. Client supplies Jabber network address and blank password
4. FTP server sends SOAP/IQ to server requesting "im" authentication.
Server sends a message with embedded form to an active IM
connection if one, otherwise authentication fails.
5. Users chat client receives message, for instance "Service
'SourceForge FTP' at 184.108.40.206 is requesting authentication.
Confirm? YES NO" would be displayed in the chat client.
6. User clicks yes which triggers reply to server, which takes this
message and replies to FTP service with a clear authentication.
7. FTP server has now authenticated the connection.
This method utilises the fact that the user is probably running the chat
client on the same machine as they are authenticating from.
mhearn at neuk.net
Jabber (jabber.org) tweedledee at jabber.org
More information about the JDev