[squid-users] SSO and Squid, SAML 2.0 ?

FredB fredbmail at free.fr
Fri Sep 23 13:13:55 UTC 2016


> 
> 
> Proxies only support "HTTP authentication" methods: Basic, Digest,
> NTLM ,etc. So you either have to use one of those, or perhaps "fake"
> the creation of one of those...?
> 
> 
> eg you mentioned SAML, but gave no context beyond saying you didn't
> want AD. So let's say SAML is a requirement. Well that's directly
> impossible as it isn't an "HTTP authentication" method, but you
> could hit it from the sides...
> 
> 
> How about putting a SAML SP on your squid server, and it generates
> fresh random Digest authentication creds for any authenticated user
> (ie same username, but 30char random password), and tells them to
> cut-n-paste them into their web browser proxy prompt and "save"
> them. That way the proxy is using Digest and it involved a one-off
> SAML interaction. I say Digest instead of Basic because Digest is
> more secure over cleartext - but it's also noticeably slower than
> Basic over latency links, so you can choose your poison there
> 
> 
> If you're really keen, you can actually do proxy-over-TLS via WPAD
> with Firefox/Chrome - at which point I'd definitely recommend Basic
> for the performance reasons ;-)
> 

Hi,

I'm using Digest now, with a large network for me it's fast enough (more than 100 0000 users), we remove BASIC identification for security reasons and the web browsers aren't all in AD.

The point about SSO is to remove the popup with a web portal (Identification for all internal websites + Internet proxy) 

I mentioned SAML, and yes there is no real context :) because I'm just searching informations, in my company a team thinks about SAML for the portal (SSO Intranet) so I thought why not ?

I guess some companies are using identifications with a web portal ? No ?

Fred


More information about the squid-users mailing list