[squid-users] SSO and Squid, SAML 2.0 ?
Jason Haar
jason_haar at trimble.com
Fri Sep 23 04:17:49 UTC 2016
On Tue, Sep 20, 2016 at 8:39 PM, FredB <fredbmail at free.fr> wrote:
> I'm searching a way to use a secure SSO with Squid, how did you implement
> the authenticate method with an implicit proxy ?
> I'm reading many documentations about SAML, but I found nothing about Squid
>
> I guess we can only do something with cookies ?
>
Hi Fred
Proxies only support "HTTP authentication" methods: Basic, Digest, NTLM
,etc. So you either have to use one of those, or perhaps "fake" the
creation of one of those...?
eg you mentioned SAML, but gave no context beyond saying you didn't want
AD. So let's say SAML is a requirement. Well that's directly impossible as
it isn't an "HTTP authentication" method, but you could hit it from the
sides...
How about putting a SAML SP on your squid server, and it generates fresh
random Digest authentication creds for any authenticated user (ie same
username, but 30char random password), and tells them to cut-n-paste them
into their web browser proxy prompt and "save" them. That way the proxy is
using Digest and it involved a one-off SAML interaction. I say Digest
instead of Basic because Digest is more secure over cleartext - but it's
also noticeably slower than Basic over latency links, so you can choose
your poison there
If you're really keen, you can actually do proxy-over-TLS via WPAD with
Firefox/Chrome - at which point I'd definitely recommend Basic for the
performance reasons ;-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160923/789fee58/attachment.html>
More information about the squid-users
mailing list