RSA SecurID Web Agent Issue

RSA SecurID Web Agent Issue

am 11.03.2006 02:20:02 von Dan Drumm

I have an issue which is partially a security question, and partially a
web programming issue. I have the RSA Authentication Manager 6.1 deployed
and am looking to integrate a Web SSO to it. The web SSO product, however,
is not the RSA SSO product, so a bit of customization must occur.

My issue is that I have been looking at the UNIX agent C API that comes
for Solaris, HPUX and AIX. I am trying to integrate authentication into a
webpage which is a CGI. The back end server process is run like a CGI
program, which is to say that it is invoked by the webserver as a
standalone program, it executes and renders a webpage, then ends. It is
not a mod_ or a ISAPI filter.

When a token enters NEXT_TOKENCODE mode or NEW_PIN mode, I must render a
page then close the socket, kill the pid and most importantly, lose the
authentication handle to the Auth manager. Once that happens, the token's
account is locked by the Auth Manager. I need a way to create persistence
so that the authentication manager can request the next tokencode, and I
can render that to the user and get back the new information and pass it
to the auth manager within the same session.

I've had some trouble communicating this with RSA. They talk about things
like the Web Agent for IIS, or the J2EE web agent, which can be used to
protect web content and seemingly handles next_tokencode mode correctly.
But I'm not a web administrator looking to protect a path, I'm looking to
take authentication information over SSL and do the authentication,
passing the userid and OTP to the AUth Manager, and then set a session
cookie on the browser if succeed.

While the actual SSO program is in C, I've written a very simple example
perl CGI program to work with this problem. I'm going to go look at CPAN
and find out if they have a securID module that can handle next tokencode
mode and new pin mode, but I thought I'd stop by here and ask if anybody
has done this before. Seems simple enough. I've been searching sourceforge
and elsewhere, but don't find anyone who acts as an agent host in this
semi-stateless manner. Has anyone solved this problem in an elegant
manner? All tips appreciated.

--