Applications wishing to make proxied client requests must obtain permission from CUIT management. Proxying is intended for use by portals or other applications needing to connect to multiple applications on behalf of a user.
WIND maintains a "whitelist" of permitted proxy targets for each proxying application. Proxied client requests work exclusively on an opt-in basis. An application may request Proxy Tickets only for target applications that are on its whitelist. The proxy "path" (the identity of the application that obtained the Proxy Ticket) is sent to the proxy target in the WIND validation response and can be used to by the proxy target to make access-control decisions.
The initial login sequence for proxy clients is the same as it is for a standard login. There is one required parameter: "destination" (the URI to which the user should be directed after authenticating).
The HTML form will also be the same as for a standard login page. And as before, web applications using WIND do not get a direct reponse to an authentication request. If the authentication request is successful, the web application can anticipate that the user will soon be redirected to the destination URI using a request that includes a WIND ticketid parameter.
overview
At the destination URI, browsers must present a ticket. Your web application must extract the ticket from the request and validate it, and request a Proxy Granting Ticket (PGT).
The validation request is an HTTPS request sent from the web application which manages the destination URI to the WIND server. There is an additional parameter to the standard validation request: 'wantspgt' (with value '1'). The actual end-user and his web browser software do not participate in this transaction.
The validation URI looks like this: https://wind.columbia.edu/validate?wantspgt=1&ticketid=TICKETID_TO_BE_VALIDATED
response
In response to an authentication request, the WIND server will answer with an XML document whose root element is <wind:serviceResponse>. This will contain either a "wind:authenticationSuccess" or "wind:authenticationFailure" element. If the authentication is successful, the response will include the Proxy Granting Ticket (PGT).
A successful authentication will look like:
<wind:serviceResponse xmlns:wind='http://www.columbia.edu/acis/rad/authmethods/wind'>
<wind:authenticationSuccess>
<wind:user>UNI</wind:user>
<wind:proxyGrantingTicket>PGT</wind:proxyGrantingTicket>
<wind:passwordtyped>PASSWORD_TYPED</wind:passwordtyped>
<wind:logintime>LOGIN_TIME</wind:logintime>
<wind:passwordtime>PASSWORD_TIME</wind:passwordtime>
<wind:passwordchangeURI>PASSWORD_CHANGE_URI</wind:passwordchangeURI>
</wind:authenticationSuccess>
</wind:serviceResponse>
An authentication failure will look like:
<wind:serviceResponse xmlns:wind='http://www.columbia.edu/acis/rad/authmethods/wind'>
<wind:authenticationFailure code="ERROR_CODE">ERROR_MESSAGE</wind:authenticationFailure>
</wind:serviceResponse>
Note that in order to receive PGTs, an application must be configured to receive the XML-formatted response. PGTs will not be issued in plain-text format.
sample (XML response)
#
# This program might be a component of the CGI service which
# handles requests for http://myserver.com/chat__service
#
# $validateURI = 'https://wind.columbia.edu/validate?wantspgt=1&ticketid=';
#
sub validateTicketAndRetrievePGT {
use LWP::Simple 'get';
use XML::Simple;
my $ticketId = shift;
my $windResponse;
$windResponse = LWP::Simple::get($validateURI.$ticketId);
my $ref = XMLin($windResponse);
if (exists $ref->{'wind:authenticationSuccess'}) {
my $username = $ref->{'wind:authenticationSuccess'}{'wind:user'};
print "$username logged in";
if (exists $ref->{'wind:authenticationSuccess'}{'wind:pgt'}) {
my $pgt = $ref->{'wind:authenticationSuccess'}{'wind:pgt'};
} elsif (exists $ref->{'wind:authenticationFailure'}){
# Ticket rejected. User should have an option to try again.
# To try again, another authentication request needs to be generated.
return (0,'the ticket was already used or was invalid');
} else {
return (0,"did not get a yes/no response from the WIND validator.");
}
}
This snippet of Perl shows how validation of a ticketid might occur for an application that receives XML-formatted responses. (Perl must be configured with SSL support in order for the LWP module to connect to an HTTPS URI.)
overview
Once an application has obtained a PGT, it can use this to request tickets for other services. After the ticket has been obtained, it can be presented to the target application at the destination URI for that service.
The PT request is an HTTPS request sent from the proxying application to the WIND server. There are two parameters to the request: the PGT ('pgt') and the destination URI of the target application ('destination').
The PT request URI looks like this: https://wind.columbia.edu/login?pgt=PGT&destination=TARGET_SERVICE_URI
Applications that act as proxies for client requests must register all hosts that will be making PT requests. [NOTE: this is not currently enforced.] In addition, the destination URI for the portal login must use HTTPS.
response
In response to a PT request, the WIND server will answer with an XML document whose root element is <wind:serviceResponse>. This will contain either a "wind:proxySuccess" or "wind:proxyFailure" element. If the authentication is successful, the response will include the Proxy Ticket (PT).
A successful request will look like:
<wind:serviceResponse xmlns:wind='http://www.columbia.edu/acis/rad/authmethods/wind'>
<wind:proxySuccess>
<wind:proxyTicket>PT</wind:proxyTicket>
</wind:proxySuccess>
</wind:serviceResponse>
A failure will look like:
<wind:serviceResponse xmlns:wind='http://www.columbia.edu/acis/rad/authmethods/wind'>
<wind:proxyFailure code="ERROR_CODE">ERROR_MESSAGE</wind:proxyFailure>
</wind:serviceResponse>
As with PGTs, an application must be configured to receive the XML-formatted response in order to receive a PT. PTs will not be issued in plain-text format.
sample (XML response)
#
# This program might be a component of the CGI service which
# handles requests for http://myserver.com/chat__service
#
# $validateURI = 'https://wind.columbia.edu/validate?wantspgt=1&ticketid=';
#
sub validateTicketAndRetrievePGT {
use LWP::Simple 'get';
use XML::Simple;
my $ticketId = shift;
my $windResponse;
$windResponse = LWP::Simple::get($validateURI.$ticketId);
my $ref = XMLin($windResponse);
if (exists $ref->{'wind:proxySuccess'}) {
my $proxyticket = $ref->{'wind:proxySuccess'}{'wind:proxyTicket'};
} elsif (exists $ref->{'wind:proxyFailure'}){
# Ticket rejected. User should have an option to try again.
# To try again, another authentication request needs to be generated.
return (0,'the PGT was invalid or expired');
} else {
return (0,"did not get a yes/no response from the WIND validator.");
}
}
This snippet of Perl shows how a proxy ticket request might occur (Perl must be configured with SSL support in order for the LWP module to connect to an https URI.)
overview
The target application validates the Proxy Ticket the same way that it would validate a standard ticket.
The PT validation URI looks like this: https://wind.columbia.edu/validate?ticketid=TICKETID_TO_BE_VALIDATED
response
A successful proxy ticket validation will look like:
<wind:serviceResponse xmlns:wind='http://www.columbia.edu/acis/rad/authmethods/wind'>
<wind:authenticationSuccess>
<wind:user>UNI</wind:user>
<wind:passwordtyped>PASSWORD_TYPED</wind:passwordtyped>
<wind:logintime>LOGIN_TIME</wind:logintime>
<wind:passwordtime>PASSWORD_TIME</wind:passwordtime>
<wind:passwordchangeURI>PASSWORD_CHANGE_URI</wind:passwordchangeURI>
<wind:proxies>
<wind:proxy>proxying-service</wind:proxy>
</wind:proxies>
</wind:authenticationSuccess>
</wind:serviceResponse>
A failure will look like:
<wind:serviceResponse xmlns:wind='http://www.columbia.edu/acis/rad/authmethods/wind'>
<wind:authenticationFailure code="ERROR_CODE">ERROR_MESSAGE</wind:authenticationFailure>
</wind:serviceResponse>
sample (XML response)
#
# This program might be a component of the CGI service which
# handles requests for http://myserver.com/chat__service
#
# $validateURI = 'https://wind.columbia.edu/validate?wantspgt=1&ticketid=';
#
sub validateTicket {
use LWP::Simple 'get';
use XML::Simple;
my $ticketId = shift;
my $windResponse;
$windResponse = LWP::Simple::get($validateURI.$ticketId);
my $ref = XMLin($windResponse);
if (exists $ref->{'wind:authenticationSuccess'}) {
my $username = $ref->{'wind:authenticationSuccess'}{'wind:user'};
print "$username logged in";
} elsif (exists $ref->{'wind:authenticationFailure'}){
# Ticket rejected. User should have an option to try again.
# To try again, another authentication request needs to be generated.
print 'Failed to obtain a proxy ticket.';
} else {
return 'Did not receive an expected response from the WIND validator.';
}
}