 |
|
|
|
|
|
|
WebAccess Multi-Realm SupportOverviewThe production system was enabled to support authentication against both Penn State Access Accounts and Friends of Penn State accounts on May 11, 2005. Changes to the WebAccess Login ProcessThe changes to support multiple realms will not be visible to someone logging in to the system. In the previous system, the WebAccess server only checked the account against the Access Account Kerberos realm. For support of multiple realms, the server first checks the Access Account realm. If the account name and password are not a match, then the FPS realm is checked. Differentiating Account Types/AuthorizationIf you're using server-side authorization checks (e.g., an explicit list of account names in a list, such as Apache's "Require user" directive; checking an account's attributes in LDAP or other database, etc.), you may not need to add any other checks. If you want to use the filter to restrict your site to Access Accounts (and perhaps just logging/referencing the account name), you'll need to add a check for Access vs. FPS accounts. The filter in your Web server sets a For Apache serversTo only allow Access accounts, and you're using mod_ssl, add this directive to your configuration file along with the CoSign directives:
SSLRequire ( %{ENV:REMOTE_REALM} == "dce.psu.edu" || %{ENV:REMOTE_REALM} == "" )
(If you're not using mod_ssl, it should be possible to perform a similar check with the Rewrite Engine.) For IIS serversWe haven't found a solution like the SSLRequire above. For people not already using ASP code or such to do authorization, we've created a filter to do this function. It's installed along with the Cosign filter, and only allows through sessions of Access Accounts. If you're interested in getting a copy of this filter, let us know at <root@aset.psu.edu>. |
