MyProxy Integration with Pubcookie
MyProxy supports integration with the Pubcookie web single sign-on system. A Pubcookie application server can use the granting cookie it receives from the Pubcookie login server to authenticate to a MyProxy server on a user's behalf to obtain X.509 credentials.
For additional background, see:
MyProxy Pubcookie support was contributed by the University of Virginia Grid Computing Group.
MyProxy Server Configuration
To enable Pubcookie support in the MyProxy server, set the
As of version 3.3.0, Pubcookie uses AES encryption by default. MyProxy, however, can only currently handle Pubcookie's DES encryption, which can be set on an Application Server in the Pubcookie section of httpd.conf (or pubcookie.conf below). (See MyProxy Bug 315.)
The application server uses the granting cookie as the MyProxy password. The MyProxy server verifies the login server's signature on the granting cookie and verifies that the username in the granting cookie matches the MyProxy username in the request. For example:
$ cat pubcookie_granting_cookie | myproxy-logon -S A credential has been received for user jbasney in /tmp/x509up_u25555.
Pubcookie uses authentication plugins called verifiers that can authenticate against external services such as LDAP and Kerberos. The most general of the verifiers, "fork", simply passes the username and password to an external process and bases its authentication decision on the exit value. An exit value of zero passes, and a non-zero exit value fails authentication. For a MyProxy verifier script and installation instructions, click here.