PAM-SSO HOWTO

This collection of PAM modules facilitates the integration of single sign-on procedure inside any PAM-aware program.

There are these modules:

• pam_liberty
• pam_grid

And these tools:

• pamtest
• libertytest

The pam_liberty module

This PAM module allows to authenticate on Provider Liberty Enabled (http://www.projectliberty.org/).

From Liberty Alliance about page (http://www.projectliberty.org/about/):

The Liberty Alliance Project is an alliance of more than 150 companies, non-profit and government organizations from around the globe. The consortium is committed to developing an open standard for federated network identity that supports all current and emerging network devices. Federated identity offers businesses, governments, employees and consumers a more convenient and secure way to control identity information in today's digital economy, and is a key component in driving the use of e-commerce, personalized data services, as well as web-based services. Membership is open to all commercial and non-commercial organizations.

The access to Project Liberty standards is made through Lasso library (Liberty Alliance Single Sign On) available at http://lasso.entrouvert.org/.

The http requests are made by libcurl (http://curl.haxx.se/libcurl/) using xmlsec1 and openssl for safer connections.

The configuration file is located at /etc/sso/liberty.conf and the parsig is made through dotconf library.

pam_liberty configuration

The pam_liberty configuration file is located at /etc/sso/liberty.conf and is read at every access, allowing run-time changes.

The configuration file is formatted into rows of two fields each, separated by blanks. Lines beginning with '#' are comments.

The first field represents the option, the second one represents the value (that should be quoted when containing blanks or special characters).

• idp_provider_id: unique identifier of Identity Provider.
• idp_metadata: metadata of Identity Provider.
• idp_public_key: public key of Identity Provider (in pem format).
• idp_ca_cert_chain: certificates chain for checking the communication security.
• sp_authn_response_check: matching string for checking the correct authentication inside the html page returned from Service Provider.

The pam_grid module

It comes from an old project (http://www.gridpp.ac.uk/linux/pam-grid.html) written by "The Globus Alliance" (http://www.globus.org/).

The module was original produced by Alex Martin a.j.martin@qmw.ac.uk based on the AFS PAM module by Tobias Schaefer T.Schaefer@science-computing.de. Some removal of references to AFS was done by Andrew McNab, along with the RPM packaging.

How to use PAM modules

To start using the features offered by pam-sso in a program, it is sufficient to add or change the "auth" row into its configuration file in /etc/pam.d/ in this way:

It is suggested to read "The Linux-PAM System Administrators' Guide" (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html).

For developers

Whoever wants to include support for the previous modules should just make his software PAM-aware and create a configuration file like pamtest.c into /etc/pam.d/.

Those who don't know how to make it can read "The Linux-PAM Application Developers' Guide" (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl.html).

To integrate directly the support to Project Liberty it is suggested to read Lasso documentation (http://lasso.entrouvert.org/documentation/).

pamtest (example code)

An example of PAM-aware program useful for checking the authentication. The pamtest.c code is very easy and it could be an help for beginning developers.

Configuration example Add into /etc/pam.d/pamtest:

The authentication by pam_liberty is made through the pamtest command. Replace pam_liberty.so with pam_grid.so to check the grid authentication.