Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

How to have SSH authenticate using SAML?

by cmv (Chaplain)
on Jul 30, 2009 at 18:38 UTC ( #784698=perlquestion: print w/replies, xml ) Need Help??
cmv has asked for the wisdom of the Perl Monks concerning the following question:

Wise Monks:

I have a product, written in Perl, that uses ssh to do its business. I have a potential customer who has written a SAML based authentication system. The would-be customer wants me to have my product use their authentication system instead of ssh.

I'm looking for a solution that would require the least amount of work on both our parts. I am hoping to find a way to configure ssh to "just use" SAML for authentication instead-of-or-in-addition-to its other authentication mechanisms.

My first thought is that SAML is similar to Kerberos, and ssh supports Kerberos authentication via the GSSAPIAuthentication option (among others). Now I don't know much about this stuff, but I was wondering if I could have ssh use GSSAPIAuthentication to authenticate with SAML instead of Kerberos?

My research has come up with some interesting results:
Using SAML for Platform Security
SAML-AAI/Kerberos Integration
2005 Discussion on SAML using GSS-API

I ended up sending an email to Nicolas Williams about this, since he seems to be active in a lot of these discussions.

Can anybody here help me with this? Am I going down a dead-end here? Should I be trying to solve the problem in a different way?

Any thoughts, pointers, or discussion is appreciated.



A co-worker suggested looking into a PAM module to do this (ssh & pam work great together). I couldn't find a PAM module for SAML, but did find a java-to-pam bridge which might let me write the SAML authentication in java, and connect it up to ssh via pam.

Then I thought it would be nice to write in perl instead of java. Wouldn't you know it Authen::PAM!

Update 2:
Since perl also has Net::SAML, shouldn't it be easy to write a perl module to do this?

  • Comment on How to have SSH authenticate using SAML?

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://784698]
Approved by zwon
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (2)
As of 2017-09-20 01:11 GMT
Find Nodes?
    Voting Booth?
    During the recent solar eclipse, I:

    Results (230 votes). Check out past polls.