Olaf Kock 9 Years Ago This is a great extension. Just the idea is worth keeping it in my tool belt and dig it out on occasion. Will you publish either the code (e.g. on github) or the app (on marketplace) or both? Or did I miss the link? Please sign in to reply. Reply as... Cancel Marcus Hjortzén Olaf Kock 9 Years Ago - Edited If there's a demand I could publish it on github. Right now it sits in our local subversion where our main work is being done, the risk of also publishing it in github is probably that it will become stale. But sharing something is better than nothing! (There's not going to be a marketplace plugin) Please sign in to reply. Reply as... Cancel Sampsa Sohlman Marcus Hjortzén 9 Years Ago I have been thinking this for long time, but I have not needed it so. I would love to see that at github. Please sign in to reply. Reply as... Cancel Marcus Hjortzén Sampsa Sohlman 9 Years Ago Sampsa: Consider it done, I need to find a few hours so it might be a couple of days or so, I'll get back! Please sign in to reply. Reply as... Cancel Marcus Hjortzén Marcus Hjortzén 9 Years Ago POC code available on Github: https://www.liferay.com/web/marcus.hjortzen/blog/-/blogs/login-tokens-on-github Please sign in to reply. Reply as... Cancel
Marcus Hjortzén Olaf Kock 9 Years Ago - Edited If there's a demand I could publish it on github. Right now it sits in our local subversion where our main work is being done, the risk of also publishing it in github is probably that it will become stale. But sharing something is better than nothing! (There's not going to be a marketplace plugin) Please sign in to reply. Reply as... Cancel Sampsa Sohlman Marcus Hjortzén 9 Years Ago I have been thinking this for long time, but I have not needed it so. I would love to see that at github. Please sign in to reply. Reply as... Cancel Marcus Hjortzén Sampsa Sohlman 9 Years Ago Sampsa: Consider it done, I need to find a few hours so it might be a couple of days or so, I'll get back! Please sign in to reply. Reply as... Cancel Marcus Hjortzén Marcus Hjortzén 9 Years Ago POC code available on Github: https://www.liferay.com/web/marcus.hjortzen/blog/-/blogs/login-tokens-on-github Please sign in to reply. Reply as... Cancel
Sampsa Sohlman Marcus Hjortzén 9 Years Ago I have been thinking this for long time, but I have not needed it so. I would love to see that at github. Please sign in to reply. Reply as... Cancel Marcus Hjortzén Sampsa Sohlman 9 Years Ago Sampsa: Consider it done, I need to find a few hours so it might be a couple of days or so, I'll get back! Please sign in to reply. Reply as... Cancel
Marcus Hjortzén Sampsa Sohlman 9 Years Ago Sampsa: Consider it done, I need to find a few hours so it might be a couple of days or so, I'll get back! Please sign in to reply. Reply as... Cancel
Marcus Hjortzén Marcus Hjortzén 9 Years Ago POC code available on Github: https://www.liferay.com/web/marcus.hjortzen/blog/-/blogs/login-tokens-on-github Please sign in to reply. Reply as... Cancel
Michael Young 9 Years Ago Hi Marcus,I lead the Liferay Sync project and I find your implementation very interesting. If I understood what you did correctly, it seems that your solution doesn't actually authenticate with an SSO provider, but actually provides an alternative authentication mechanism. In your opinion, do you think most Adminstrators would be comfortable with this, or do you think they would actually want all applications to authenticate via the SSO product. I actually like it very much and find it to be more secure. Please sign in to reply. Reply as... Cancel Marcus Hjortzén Michael Young 9 Years Ago Hello Michael!There are a couple of things that probably needs a bit more work, right now I've done this as a POC (however, it works quite well) and with our setup it fits very well. However, depending on which SSO solution you use it might fit worse. In effect what you're doing is creating more passwords to use/hack. You are correct in that I don't authenticate against the SSO provider. To be honest, because I couldn't even begin to understand how to get all the parts together to get that to work (Shibboleth uses a daemon in an Apache fronting the LR installation and our Shib requires user input, something that couldn't work with the LR Sync). So, the real reason is because I'm lazy and don't have enough knowledge!However, since we have the same source of user data as the SSO uses available as LDAP service I could easily have authenticated towards that instead. But since we have a requirement that the SSO-password should never be stored locally / cached (even if encrypted) on a device, that option quickly got off the list. So, generating a password per device != master password was indeed a nice solution and arguably - a more secure solution than using SSO-auth (even if you had the know-how).For us I believe that we and administrators would be comfortable with the solution. There are many benefits. If you could also bind the login token to one application that would be perfect, in my solution I cannot. But since the standard UI-login is redirected to Shib an ordinary user shouldn't be able to use the token to access the portal UI.There is still one piece left to consider however: when generating a new password one should really require a new login or similar so that new login tokens cannot be generated just because you left your browser open and left the computer. Please sign in to reply. Reply as... Cancel Michael Young Marcus Hjortzén 9 Years Ago Marcus,Thanks for your explanation. We've had many discussions on the Sync team of how to solve this SSO issue, and what you have proposed definitely was one of the options. Thank you for showing us one concrete implementation (it makes perfect sense to me). We were never sure if this would be a solution that Admins would accept, but the more I look at this solution, the more I think that it is superior to the other options we were thinking of. I really like that- SSO credentials are never stored on the clients- tokens are revocable- will work with any SSO provider- no need to understand the intricacies of every possible SSO providerOne last piece I think that could be valuable is to somehow bind the token to the device it is assigned to in such a way that it can only be used by that device. Just to let you know, solving this SSO issue is the top priority for us following our revamped Sync 3.0 release (we are skipping 2.0 due to internal reasons).Thanks again for showing us this possible solution and validating its use. Please sign in to reply. Reply as... Cancel Daniel Tyger Michael Young 7 Years Ago Hi Marcus, Where is your team with this issue today. We are a CAS shop and very much want to utilize sync and / or webDAV. Is it solved yet? One must go to DXP/v7 to get it? Please sign in to reply. Reply as... Cancel Daniel Tyger Daniel Tyger 7 Years Ago Sorry - I meant "Michael" above - Michael Young - Where is your team with this issue today? We are a CAS shop and very much want to utilize sync and / or webDAV. Is it solved yet? One must go to DXP/v7 to get it? Please sign in to reply. Reply as... Cancel
Marcus Hjortzén Michael Young 9 Years Ago Hello Michael!There are a couple of things that probably needs a bit more work, right now I've done this as a POC (however, it works quite well) and with our setup it fits very well. However, depending on which SSO solution you use it might fit worse. In effect what you're doing is creating more passwords to use/hack. You are correct in that I don't authenticate against the SSO provider. To be honest, because I couldn't even begin to understand how to get all the parts together to get that to work (Shibboleth uses a daemon in an Apache fronting the LR installation and our Shib requires user input, something that couldn't work with the LR Sync). So, the real reason is because I'm lazy and don't have enough knowledge!However, since we have the same source of user data as the SSO uses available as LDAP service I could easily have authenticated towards that instead. But since we have a requirement that the SSO-password should never be stored locally / cached (even if encrypted) on a device, that option quickly got off the list. So, generating a password per device != master password was indeed a nice solution and arguably - a more secure solution than using SSO-auth (even if you had the know-how).For us I believe that we and administrators would be comfortable with the solution. There are many benefits. If you could also bind the login token to one application that would be perfect, in my solution I cannot. But since the standard UI-login is redirected to Shib an ordinary user shouldn't be able to use the token to access the portal UI.There is still one piece left to consider however: when generating a new password one should really require a new login or similar so that new login tokens cannot be generated just because you left your browser open and left the computer. Please sign in to reply. Reply as... Cancel Michael Young Marcus Hjortzén 9 Years Ago Marcus,Thanks for your explanation. We've had many discussions on the Sync team of how to solve this SSO issue, and what you have proposed definitely was one of the options. Thank you for showing us one concrete implementation (it makes perfect sense to me). We were never sure if this would be a solution that Admins would accept, but the more I look at this solution, the more I think that it is superior to the other options we were thinking of. I really like that- SSO credentials are never stored on the clients- tokens are revocable- will work with any SSO provider- no need to understand the intricacies of every possible SSO providerOne last piece I think that could be valuable is to somehow bind the token to the device it is assigned to in such a way that it can only be used by that device. Just to let you know, solving this SSO issue is the top priority for us following our revamped Sync 3.0 release (we are skipping 2.0 due to internal reasons).Thanks again for showing us this possible solution and validating its use. Please sign in to reply. Reply as... Cancel Daniel Tyger Michael Young 7 Years Ago Hi Marcus, Where is your team with this issue today. We are a CAS shop and very much want to utilize sync and / or webDAV. Is it solved yet? One must go to DXP/v7 to get it? Please sign in to reply. Reply as... Cancel Daniel Tyger Daniel Tyger 7 Years Ago Sorry - I meant "Michael" above - Michael Young - Where is your team with this issue today? We are a CAS shop and very much want to utilize sync and / or webDAV. Is it solved yet? One must go to DXP/v7 to get it? Please sign in to reply. Reply as... Cancel
Michael Young Marcus Hjortzén 9 Years Ago Marcus,Thanks for your explanation. We've had many discussions on the Sync team of how to solve this SSO issue, and what you have proposed definitely was one of the options. Thank you for showing us one concrete implementation (it makes perfect sense to me). We were never sure if this would be a solution that Admins would accept, but the more I look at this solution, the more I think that it is superior to the other options we were thinking of. I really like that- SSO credentials are never stored on the clients- tokens are revocable- will work with any SSO provider- no need to understand the intricacies of every possible SSO providerOne last piece I think that could be valuable is to somehow bind the token to the device it is assigned to in such a way that it can only be used by that device. Just to let you know, solving this SSO issue is the top priority for us following our revamped Sync 3.0 release (we are skipping 2.0 due to internal reasons).Thanks again for showing us this possible solution and validating its use. Please sign in to reply. Reply as... Cancel Daniel Tyger Michael Young 7 Years Ago Hi Marcus, Where is your team with this issue today. We are a CAS shop and very much want to utilize sync and / or webDAV. Is it solved yet? One must go to DXP/v7 to get it? Please sign in to reply. Reply as... Cancel Daniel Tyger Daniel Tyger 7 Years Ago Sorry - I meant "Michael" above - Michael Young - Where is your team with this issue today? We are a CAS shop and very much want to utilize sync and / or webDAV. Is it solved yet? One must go to DXP/v7 to get it? Please sign in to reply. Reply as... Cancel
Daniel Tyger Michael Young 7 Years Ago Hi Marcus, Where is your team with this issue today. We are a CAS shop and very much want to utilize sync and / or webDAV. Is it solved yet? One must go to DXP/v7 to get it? Please sign in to reply. Reply as... Cancel Daniel Tyger Daniel Tyger 7 Years Ago Sorry - I meant "Michael" above - Michael Young - Where is your team with this issue today? We are a CAS shop and very much want to utilize sync and / or webDAV. Is it solved yet? One must go to DXP/v7 to get it? Please sign in to reply. Reply as... Cancel
Daniel Tyger Daniel Tyger 7 Years Ago Sorry - I meant "Michael" above - Michael Young - Where is your team with this issue today? We are a CAS shop and very much want to utilize sync and / or webDAV. Is it solved yet? One must go to DXP/v7 to get it? Please sign in to reply. Reply as... Cancel