Idcheck is a cookie based authentication mechanism that can be used on Apache2 webservers. It is used to restrict access to certain sites or pages. It is a single-sign-on mechanism that can be configured to support login to multiple websites under a single common domain.
Simply attempt to download the page you want and enter your username/password in the dialog box. Complete the form correctly to access the page. You need to ensure that your browser accepts all cookies issued the website and by the idcheck server.
Simply, close your browser application. Note that this is not sufficent for public access kiosks (where you can't close the browser).
Contact Martin Evans (m.d.t.evans-idcheck@qmul.ac.uk), I will attempt to help with bugs.
If you attempt to access a page on a website that requires idcheck authentication will redirect you to an idcheck login form. Entering your username and password will install a cookie in your browser that is used to verify your requests from other webservers so that you do not have to re-enter your username and password. It also installs a cookie that allows you to access the original page you were after and redirects you back so that you can see it.
Yes, if your site is running Apache2 you can download the source and install it. If you need to set up a server then you will need to run an apache2 server with mod_perl2. If you are a webmaster in an organisation where there is a central idcheck service then you should only need to install and configure apache2 module mod_idcheck.so to enable authenticated access for your site. Talk to the person that runs the idcheck service in your organisation and request their service details.
No (maybe yes), if your site is running IIS, Apache1. However, in principal, the service will work with any webserver that can issue redirects and set cookies or any web application that provides the administrator with decent SSO hooks. If your site is in this category it should be possible to write an idcheck client that will work with the central system. I will provide assistance and support for anyone attempting to do this but (probably) not programming time unless there is very good reason. Note that we may write/support Tomcat realms ourselves at some point.
If you are running a third party application (web or otherwise) and are unable alter it then you may have some success with mod_fba.
See: http://idcheck.sourceforge.net/
- What restrictions can be placed on websites or parts of websites?
The mechanism can restrict access to departments or individual usernames.
i.e. it is now possible to restrict certain pages to a small number of
people. This can be done fairly simply with the IdcheckAllowUser and
IdcheckAllowData apache module directives. See the example configuration below.
- Example apache module client configuration?
Here's an example apache virtual host client configuration:
<VirtualHost 123.45.6.80:80>
ServerName www.example.com
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log combined
# Idcheck config
# Where to redirect if access is protected by idcheck
# and the user has no cookies.
IdcheckLoginUrl https://idcheck.example.com/idcheck
# The server that this apache instance uses to verify
# idcheck cookies.
IdcheckCheckUrl http://idcheck.example.com/idcheck
# Permit these URLs without any cookie checks.
IdcheckAllowRequest /robots.txt$ /favicon.ico$
# A protected intranet directory.
<Directory /var/www/html/intranet>
Options Indexes SymLinksIfOwnerMatch IncludesNOEXEC
AllowOverride None
# allow from local subnet (without idcheck)
order deny,allow
allow from {your-ip-ranges}
deny from all
# allow by idcheck cookie for users in "My Department" and
# individual users alice, bob and jim too.
AuthType idcheck
Idcheck on
IdcheckNoAccessBehaviour server
IdcheckAllowData "ldap:unit=My Department"
IdcheckAllowUser alice bob jim
Require valid-user
# allow either.
Satisfy any
</Directory>
</VirtualHost>
- Example idcheck server configuration
Below is an example apache2/mod_perl server configuration.
# SSLed host to handle logins
<VirtualHost 123.45.6.100:443>
include conf/idcheck.include
include conf/ssl.include
LogLevel notice
CustomLog /var/log/idcheck/ssl_access_log combined
ErrorLog /var/log/idcheck/ssl_error_log
SSLCertificateFile cert/idcheck.crt
SSLCertificateKeyFile cert/idcheck.key
SSLCertificateChainFile /cert/chain.crt
</VirtualHost>
# Plain virtual host for non-SSL cookie checking (reduces load)
<VirtualHost 123.45.6.100:80>
include conf/idcheck.include
CustomLog /var/log/idcheck/access_log combined
ErrorLog /var/log/idcheck/error_log
LogLevel notice
</VirtualHost>
The file idcheck.include:
#
# Example configuration file for idcheck cookie authentication server.
#
# Author: Martin Evans <m.d.t.evans@qmul.ac.uk>
#
# Note you will need mod_perl installed.
# LoadModule perl_module modules/mod_perl.so
#
# You will also need to enable it here if you have used -Enable already
# PerlOptions +Enable
#
PerlRequire /var/www/perl/idcheck/startup.pl
Alias /data /var/www/idcheck/data
<Directory /var/www/idcheck/data>
Allow from any
</Directory>
# idcheck server location
<Location /idcheck>
# Make this Location an idcheck cookie server.
SetHandler perl-script
PerlResponseHandler idcheck::server
# where to keep the cookies.
PerlSetVar cookiejar /var/idcheck/cookies
# Define various authenticators.
# syntax is "<scheme> <type> <regex> <options>"
# Authenticate from an ldap server
PerlAddVar auth "ldap0 ldap ^.*$ ldap://localhost ou=people,dc=example,dc=com??sub?(uid=${USERNAME})"
# Authenticate system users by script
PerlAddVar auth "system0 script ^martin$ sudo /usr/bin/idcheck_validate.pl unit=system-user"
# Authenticate by pam
PerlAddVar auth "system1 pam ^martin$ idcheck"
# Authenticate special user "fred" with password secret
PerlAddVar auth "user0 simple ^fred$ fred secret name=Fred unit=wotnot-dept food=cheese"
# the following section can be used to control which client webservers
# see which cookie authentication attributes (data lines).
#
# client definition syntax is: client "<name> <ip_regexp>"
# client data regexp syntax is: client_regexp "<name> <data_regexp>"
#
# it is assumed that general access to the service is done by apache.
#
# allow localhost full access to all attributes
PerlAddVar client "localhost ^127.0.0."
PerlAddVar client_regexp "localhost ^.*"
# allow example.com to see any unit data lines.
PerlAddVar client "examplecom ^123.45.6."
PerlAddVar client_regexp "examplecom ^(.*:unit=.*)"
# allow the world to see only standard parameters
PerlAddVar client "world ^(.*)"
PerlAddVar client_regexp "world ^$"
# Consider these servers as equals (multiple IP addrs) i.e. if an origin
# server session cookie can be checked from IP1 then it can also be
# checked from IP2,IP3 etc.
# Syntax: multi_ip IP1,IP2
# multi_ip IP1,IP3
PerlAddVar multi_ip 123.45.6.1,123.45.6.2
PerlAddVar multi_ip 123.45.6.1,123.45.6.3
# style configuration settings.
PerlSetVar title "Identity Check"
PerlSetVar style /data/idcheck.css
# html page html fragments (they fetched intrnally not
# linked in so you need to provide full URLs).
PerlSetVar banner_html http://idcheck.example.com/data/banner_html.txt
PerlSetVar footer_html http://idcheck.example.com/data/footer_html.txt
PerlSetVar form_html http://idcheck.example.com/data/form_html.txt
PerlSetVar logout_html http://idcheck.example.com/data/logout_html.txt
PerlSetVar deny_html http://idcheck.example.com/data/deny_html.txt
# show raw cookie on the info page
# PerlSetVar dump_cookie_in_info 1
# To set a 1 in 20 chance of invoking the garbage collector when
# credentials are verified. This clears out old files from the
# cookie jar.
PerlSetVar garbage_collect_every 20
</Location>
- Are there any descriptions of how idcheck works?
There is a rough description of authoritative idcheck2
here.
Also, David Goddard has contributed a diagram which shows the normal
operation (for versions >=2.0.3). It is available in SVG and PDF formats. More diagrams may be available
soon.
- How is it licensed?
All code in the distribution is subject to the GPL v2
(see the LICENSE file in the distribution).
- It does/doesn't work for me and I am very cross about it...
Poor you :-(
- It does/doesn't work for me and I have the following a patch/suggestion/bug report for you...
:-)
Martin Evans <m.d.t.evans-idcheck@qmul.ac.uk>