[ejabberd] SSO and XMPP

Peter Saint-Andre stpeter at stpeter.im
Wed Feb 13 03:00:30 MSK 2008


Hi Gerard,

Gerard Webb wrote:
> Hey,
> 
> i am developing a single sign on system for the EU.
> its pretty big, and was wondering if i can ask you some silly questions:

No silly questions here.

> Here is my topology:
> 
> 1. 20 x web applications. .net and java
> 2. 2 x AD LDAP servers. AD is just a bit of LDAP and DNS mixed together
> after all.
> 3. A SSO server i programmed in C#. It acts as a broker and provides some
> encapsulation.
> i have intended to use it for manage SSOand even federated SSO, but then
> after i started playing with XMPP and especially *ejabberd*, i realised how
> powerful ti is.

BTW the ejabberd developers are madly working on version 2.0.0. so they
may not reply quickly. :)

> We want to allow SSO within our domain, and then allow controlled Fed SSO
> over XMPP later.
> 
> So:
> 
> 1. Can i simple just let *ejabberd* do sso for me ??. i assume it hands back
> a session (or JID i believe its called). 

Your JID looks like an email address. So mine is stpeter at jabber.org.
Your SSO system could ask ejabberd if I'm logged in and (if it has
appropriate privileges) ejabberd could tell you "yes" or "no".

> i assume i can just ask
> *ejabberd*"is this user "
> blah at blah.com" logged on anywhere and where?. 

Correct.

> The Roster is think its
> called.

Your roster is your buddy list. Think IM. But you don't need roster
information to build your SSO feature.

> Then if they are i can assume they are already authenticated and then give a
> session out to the web apps that corresponds to the same session from eh *
> ejabberd* session ID.

Do you want any user involvement (e.g., authorization that a particular
web application is allowed to know if the user is online)? If not, how
will you control access to this information? Some users might consider
it to be sensitive.

> As you can see i am a bit confused how to use the xmpp stack for SSO. i can
> see wqhy i should use but still getting my head around exactly how to best
> use it.
> 
> Hope i am making some sort of sense

So far so good. :)

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jabber.ru/pipermail/ejabberd/attachments/20080212/643476ed/attachment-0001.bin 


More information about the ejabberd mailing list