[OpenSIPS-Devel] [OpenSIPS-Users] SSO integration = Custom auth module?

Sukhoroslov Denis DSukhoroslov at yota.ru
Wed Oct 15 00:06:43 CEST 2008 

 
Hi Bogdan,

In terms of specs: I don't know any particular spec which regulates how SIP should be combined with SSO. There is a 3GPP TR 33.980 report about usage of Liberty Alliance project SSO services together with IMS GBA architecture. There is also an IETF sip-saml profile, but it is still in draft. So, currently I'm looking for something more simple to start with. In order to simplify the task I'll try to relay REGISTER request to my SIP servlet for SSO Token check.

In order to solve this I see the following steps:
- figure out is Call-Info header set in REGISTER message or not;
- if it is set - relay the REGISTER msg to external SIP app server (combined with SSO server);
- check SSO token at SIP servlet and reply with 200 or 401;
- check the reply and save the subscriber in location table if it is registered via SSO;

Correct me if I'm wrong, please.

I tried to accomplish this via the following script in openser.cfg:

	if (is_method("REGISTER"))
	{
		# authenticate the REGISTER requests (uncomment to enable auth)
		if (!www_authorize("", "subscriber"))
		{
			xlog("incoming register\n");
			
			if ($hdr("Call-Info")!=NULL) {
			    xlog("Call-Info found!\n");
			    t_on_reply("1");
			    
			    # the ip address below must point to SIP Servlet container
			    # use sso-yota (Sailfin) address below. 
			    t_relay("<Sip Servlet container host:port>");
			} else {
			    xlog("No Call-Info header\n");
    			    www_challenge("", "0");
    			}
			exit;
		}
		...............
		exit;
	}

...............

onreply_route[1] {
    if (t_check_status("200")) {
        xlog("token validation succeeded!\n");
	if (!save("location", "0x200")) {
	    xlog("user registration failed\n");
	} else {
	    xlog("user successfully registered by token\n");
	}
    } else {
	xlog("SSO token is not valid\n");
    }
}

I have 2 issues with the script above:
- the check for Call-Info header: if ($hdr("Call-Info")!=NULL) doesn't work and always return false even when the header does exist.
- looks like the save() method cannot be used from onreply_route block. 

Bogdan, could you or someone else help me to solve them?

Thanks, Denis.


-----Original Message-----
From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
Sent: Tuesday, September 30, 2008 1:12 PM
To: Sukhoroslov Denis
Cc: devel at lists.opensips.org
Subject: Re: [OpenSIPS-Devel] [OpenSIPS-Users] SSO integration = Custom auth module?

Hi Denis,

Sukhoroslov Denis wrote:
> Bogdan, thank you very much for the response.
> Ok, I'll try to follow the ldap model for authentication. It is possible
> to fetch password from SSO DB, but I don't store passwords in plain text
> form. If this is necessary, I can store in SSO DB the full HA1 auth
> string with username and domain. It should be enough to perform DB auth,
> right?
>   
yes, having HA1 instead of plain text password will be just fine.
> But the first thing I have to perform is SSO token validation, when it
> is provided in REGISTER request. If SSO server decides that the token is
> valid I'll need to notify OpenSIPS that the user is authenticated and do
> not perform digest authentication further. Could you suggest how to do
> this? BTW, I'm going to pass SSO token between SIP server and client in
> Call-Info header, is it ok? 
>   
basically you can use whatever header you want, as time as there is 
correlation between server and client. BTW, aren't there any specs to 
help you on this?

Regards,
Bogdan
> Thanks, Denis.
>
>
> -----Original Message-----
> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
> Sent: Saturday, September 13, 2008 1:52 PM
> To: Sukhoroslov Denis
> Cc: users at lists.opensips.org; devel at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] SSO integration = Custom auth module?
>
> Hi Denis,
>
> More or less you need to write some new extension - probably the easiest
>
> way will be to follow the ldap model - the module just fetch the 
> password into the script and then you can use the auth module to inject 
> directly the auth username and passwd.
>
> If you need assistance with this, please let's continue the discussion 
> on the devel list.
>
> Regards,
> Bogdan
>
> Sukhoroslov Denis wrote:
>   
>> Hi,
>>
>> Our company provides mobile internet via WiMAX network. There are many
>>     
>
>   
>> services that can be accessed by our mobile clients via HTTP protocol.
>>     
>
>   
>> Now we'd like to provide VoIP (and probably other IMS services in the 
>> future) via SIP protocol. On the server side we're planning to use 
>> OpenSIPS. All our HTTP services are integrated with one common 
>> authentication module, so we have SSO between HTTP clients. Is it 
>> possible to integrate SIP services with SSO as well?
>>
>> This is how I can see it:
>>
>> - We have a custom VoIP client app. During authentication procedure 
>> with SIP server the app will append SSO token (if any) to the REGISTER
>>     
>
>   
>> request. SSO token can be obtained from our common mobile SSO token
>>     
> store.
>   
>> - The auth module on the server side should check SSO token first. If 
>> the token exists the auth module should communicate with SSO server 
>> and validate token. If token is valid then the user considered as 
>> authenticated and server must respond with 200 OK.
>>
>> - If the token doesn't exist or is not valid then the regular SIP 
>> authentication procedure starts. Auth module must respond with 401 
>> Unauthorized.
>>
>> - Client will provide login/password. Auth module will ask SSO server 
>> to perform authentication.
>>
>> - In case of success SSO server will open a new SSO session and 
>> respond with new SSO token. Auth module must append the token to the 
>> 200 OK response.
>>
>> - Client app stores SSO token to its common store.
>>
>> Is it possible to provide such functionality with OpenSIPS, what do 
>> you think? Do I need to develop a custom auth module for this, or can 
>> I use some existing functionality? Any pointers or links on how to 
>> develop and deploy custom modules would be very helpful.
>>
>> Thanks, Denis.
>>
>>
>>     
> ------------------------------------------------------------------------
>   
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>   
>>     
>
>
> _______________________________________________
> Devel mailing list
> Devel at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
>
>   


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/devel/attachments/20081015/0bc735e4/attachment-0001.htm

More information about the Devel mailing list