Skip to content

CERN Single Sign On authentication using scripts/programs

Please note that cern-get-sso-cookie has been deprecated in favor of auth-get-sso-cookie.

CERN Single Sign on authentication using scripts/programs

CERN uses Microsoft Active Directory Federation Services (ADFS) for Web Single Sign On (SSO) services. While this method of authentication integrates well with most modern web browsers (Internet Explorer, Firefox, Chrome .. etc), it is not easy to integrate with command line clients alike wget or curl, or any non-interactive web client.

This documentation outlines the setup process allowing curl, wget and other non-interactive web clients to access CERN SSO protected web resources.

While the initial installation of required software is specific to CERN SLC5 and SLC6 Linux distributions, this software can be easily ported to other linux distributions.

Note:This software is SPECIFIC to CERN SSO installation, it will not work - without modifications - with any other MS ADFS installations. (modifications necessary include changing the library AND changing the setup of ADFS installation).

Installation

As root on your SLC5 or SLC6 system run:
# yum install cern-get-sso-cookie
following packages will be installed on your system:
  • CERN SSO authentication cookie grabber (cern-get-sso-cookie)
  • CERN SSO authentication library (perl-WWW-CERNSSO-Auth)
  • Curl perl bindings (perl-WWW-Curl)
  • Kerberos perl bindings (perl-Authen-Krb5)
  • CERN CA certificates (CERN-CA-certs/openssl-CERN-CA-certs)

Usage

cern-get-sso-cookie acquires CERN Single Sign-On cookie using Kerberos credentials or user certificate and stores it in a file for later usage with tools like curl, wget or others - cookie file is stored in Netscape format understood by most web clients.

Kerberos credentials

In order to use this tool with Kerberos credentials a valid CERN Kerberos ticket must be acquired, for example using kinit. To check the valididty of Kerberos credentials please use klist.

Example usage:

cern-get-sso-cookie --krb -r -u https://somesite.web.cern.ch/protected -o ~/private/ssocookie.txt

wget --load-cookies ~/private/ssocookie.txt https://somesite.web.cern.ch/protected/documents

curl -L --cookie ~/private/ssocookie.txt --cookie-jar ~/private/ssocookie.txt \
       https://somesite.web.cern.ch/protected/documents

User certificates

In order to be used with this tool user certificate / key files must be converted to specific formats. In order to do so you may: Acquire your user certificate at CERN Certification Authority, next export it from your web browser as myCert.p12 file (Firefox: Edit->Preferences->Advanced->Encryption->View Certificates->Your Certificates->Backup)

then use following sequence of commands in order to convert it:

openssl pkcs12 -clcerts -nokeys -in myCert.p12 -out ~/private/myCert.pem
openssl pkcs12 -nocerts -in myCert.p12 -out ~/private/myCert.tmp.key
openssl rsa -in ~/private/myCert.tmp.key -out ~/private/myCert.key
rm ~/private/myCert.tmp.key
chmod 644 ~/private/myCert.pem
chmod 400 ~/private/myCert.key
WARNING: openssl rsa.. command removes the passphrase from the private key, please make sure your key file is stored in secure location !

Example usage:

cern-get-sso-cookie --cert ~/private/myCert.pem --key ~/private/myCert.key -r \
                      -u https://somesite.web.cern.ch/protected -o ~/private/ssocookie.txt

curl -L --cookie ~/private/ssocookie.txt --cookie-jar ~/private/ssocookie.txt \
       https://somesite.web.cern.ch/protected/documents

Usage notes

Cookie file is created in a format understood by curl/wget or libcurl-based utilities: If you intend to use cookie file with different cookie handling library please use the --reprocess / -r option. See also man cern-get-sso-cookie.

CERN SSO cookies are created per web site: In order to access protected content on a given site a SSO cookie for that site must be acquired.

CERN SSO cookies expire within 24 hours.

WARNING: Always store cookiefile in a private directory: it can be used by anybody to authenticate to CERN SSO as your account !

Kerberos credentials validity is not checked.

Certificate format is not checked.

Certificate key file can be only RSA encrypted (current libcurl limitation)

Certificate key file can not be password protected.

If URL given to the script is not SSO protected an empty cookie file is created and no error is reported.