[OpenSIPS-Devel] [OpenSIPS-Users] SSO integration = Custom auth module?

Bogdan-Andrei Iancu bogdan at voice-system.ro
Tue Sep 30 11:12:17 CEST 2008


Hi Denis,

Sukhoroslov Denis wrote:
> Bogdan, thank you very much for the response.
> Ok, I'll try to follow the ldap model for authentication. It is possible
> to fetch password from SSO DB, but I don't store passwords in plain text
> form. If this is necessary, I can store in SSO DB the full HA1 auth
> string with username and domain. It should be enough to perform DB auth,
> right?
>   
yes, having HA1 instead of plain text password will be just fine.
> But the first thing I have to perform is SSO token validation, when it
> is provided in REGISTER request. If SSO server decides that the token is
> valid I'll need to notify OpenSIPS that the user is authenticated and do
> not perform digest authentication further. Could you suggest how to do
> this? BTW, I'm going to pass SSO token between SIP server and client in
> Call-Info header, is it ok? 
>   
basically you can use whatever header you want, as time as there is 
correlation between server and client. BTW, aren't there any specs to 
help you on this?

Regards,
Bogdan
> Thanks, Denis.
>
>
> -----Original Message-----
> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
> Sent: Saturday, September 13, 2008 1:52 PM
> To: Sukhoroslov Denis
> Cc: users at lists.opensips.org; devel at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] SSO integration = Custom auth module?
>
> Hi Denis,
>
> More or less you need to write some new extension - probably the easiest
>
> way will be to follow the ldap model - the module just fetch the 
> password into the script and then you can use the auth module to inject 
> directly the auth username and passwd.
>
> If you need assistance with this, please let's continue the discussion 
> on the devel list.
>
> Regards,
> Bogdan
>
> Sukhoroslov Denis wrote:
>   
>> Hi,
>>
>> Our company provides mobile internet via WiMAX network. There are many
>>     
>
>   
>> services that can be accessed by our mobile clients via HTTP protocol.
>>     
>
>   
>> Now we'd like to provide VoIP (and probably other IMS services in the 
>> future) via SIP protocol. On the server side we're planning to use 
>> OpenSIPS. All our HTTP services are integrated with one common 
>> authentication module, so we have SSO between HTTP clients. Is it 
>> possible to integrate SIP services with SSO as well?
>>
>> This is how I can see it:
>>
>> - We have a custom VoIP client app. During authentication procedure 
>> with SIP server the app will append SSO token (if any) to the REGISTER
>>     
>
>   
>> request. SSO token can be obtained from our common mobile SSO token
>>     
> store.
>   
>> - The auth module on the server side should check SSO token first. If 
>> the token exists the auth module should communicate with SSO server 
>> and validate token. If token is valid then the user considered as 
>> authenticated and server must respond with 200 OK.
>>
>> - If the token doesn't exist or is not valid then the regular SIP 
>> authentication procedure starts. Auth module must respond with 401 
>> Unauthorized.
>>
>> - Client will provide login/password. Auth module will ask SSO server 
>> to perform authentication.
>>
>> - In case of success SSO server will open a new SSO session and 
>> respond with new SSO token. Auth module must append the token to the 
>> 200 OK response.
>>
>> - Client app stores SSO token to its common store.
>>
>> Is it possible to provide such functionality with OpenSIPS, what do 
>> you think? Do I need to develop a custom auth module for this, or can 
>> I use some existing functionality? Any pointers or links on how to 
>> develop and deploy custom modules would be very helpful.
>>
>> Thanks, Denis.
>>
>>
>>     
> ------------------------------------------------------------------------
>   
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>   
>>     
>
>
> _______________________________________________
> Devel mailing list
> Devel at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
>
>   




More information about the Devel mailing list