Pilot service for Yubikey two-factor authentication

November 15, 2015

A brief diversion: Cosign and SPNEGO

Filed under: Pilot service for Yubikey two-factor authentication — idurkacz @ 9:44 am
Tags: ,

I mentioned in the previous post Some background: what’s Cosign, and how does it work? that:

… the ‘single sign-on’ can work even better than that. Since the underlying authentication protocol is assumed to be Kerberos, a web browser which is capable of using SPNEGO is able to use a user’s existing Kerberos tickets for the initial authentication sequence. The result is that access to institutional Cosign-protected websites is completely transparent.

In that same post, I also mentioned that:

… documentation pertaining to Informatics-specific local Cosign modifications is also rather scattered …

For reference purposes, here are a couple of relevant pieces of information:

  1. A post regarding SPNEGO authentication and fallback from the Cosign-discuss mailing list discusses the Javascript ‘trick’ which we (i.e. Informatics) use in our Cosign setup in order to use SPNEGO if possible – or to gracefully fallback, if SPNEGO doesn’t work.
  2. A blog post from Simon Wilkinson – the original author of both our solution, as well as the above post to Cosign-discuss -, which describes the same thing, namely Cosign and SPNEGO.
  3. For SPNEGO (and Kerberos ticket delegation) to work in Firefox, users will need to set appropriate values in the two about:config variables network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris.
    In cases where multiple URIs need to be specified for either of these variables (which might well be the case in the testing phase of any implementation, for example), note that the delimiter is ‘,‘ – i.e., a comma. Neither a space, or a semi-colon, will work!

Theme: Rubric.