Subject: The mailing list for listmasters using Sympa
List archive
[sympa-users] Re: Shibboleth Authentication with Sympa
- From: Olivier Salaün <address@concealed>
- To: Ryann Levo <address@concealed>
- Cc: address@concealed
- Subject: [sympa-users] Re: Shibboleth Authentication with Sympa
- Date: Sat, 14 Jul 2007 13:32:03 +0200
Hi Ryann,
We are aware of this risk ; that's why the Shibboleth authentication feature (actually generic_sso) has been extended by J.P. Robinson, University of Alabama at Birmingham. The extension allows to either validate a shibboleth-provided email address or collect one (and validate it). The extension is part of Sympa 5.2.x versions.
Please check the documentation to find out about the available parameters : http://www.sympa.org/wiki/manual/authentication#generic_sso_paragraph
Let us know if the documentation not sufficient.
Ryann Levo wrote:
We're working with Sympa 5.2.3 and we have Shibboleth authentication (staying within our institution - currently not allowing others to auth) working. However we found a slight security issue that since our customers can change their mail attribute in LDAP (what Shib uses to get the users's information), there's the potential that someone could change their mail attribute to another person's email address and basically auth into Sympa and have the other person's rights/views into their lists (of course the most dangerous one would be the listmaster's email address).
Has anyone else run into this problem using Sympa and Shibboleth?
Any thoughts or ideas would be of great help - and unfortunately not allowing our customers to modify their mail attribute is not an option.
-
[sympa-users] Shibboleth Authentication with Sympa,
Ryann Levo, 07/13/2007
- [sympa-users] Re: Shibboleth Authentication with Sympa, Olivier Salaün, 07/14/2007
Archive powered by MHonArc 2.6.19+.