[Pidgin] #17070: Implementation of WEBEX-TOKEN SASL support

Pidgin trac at pidgin.im
Thu Jul 14 18:43:58 EDT 2016 

#17070: Implementation of WEBEX-TOKEN SASL support
--------------------+-------------------------------
 Reporter:  kainz   |      Owner:
     Type:  patch   |     Status:  new
Milestone:          |  Component:  libpurple
  Version:  2.11.0  |   Keywords:  webex jabber sasl
--------------------+-------------------------------
 Resolves defect #16965

 This patch provides a basic implementation of WEBEX-TOKEN SASL auth
 support. This is required if you with to authenticate to a Cisco WebEx
 Jabber system that is using Federated SSO.

 This works by installing a WEBEX-TOKEN mechanism handler with priority one
 higher than cyrus-sasl so that it has a chance to authenticate before
 cyrus takes over the whole SASL workflow. (otherwise, auth-cyrus.c stops
 the workflow with a SASL_FAIL because it ends up trying PLAIN first.)

 To use after building: from a Cisco Jabber install, look for a
 SSOAuthInfoStore.xml file.  This should contain a URL on
 loginp.webexconnect.com (or the like) specifying a SSO login url. Once you
 go to this with a browser and complete whatever authentication workflow is
 needed (I've tested with federated auth to an AD domain, so kerberos), you
 will get an XML stanza back called FederatedSSO.

 In that returned stanza, you will need to copy the <jabbertoken> element,
 and use that as your password. <screenname> should match your user and
 domain elements in your account configuration.  Finally, you will want to
 use the server in the <xmppjabbercluster> element as your target server to
 connect to.  I do not recommend using the supplied BOSH uri at this time,
 as I haven't gotten that to work.  Using regular SSL on 5222 works for me.

 Once you have all this, you should be able to login, add buddies, and
 chat.  I doubt any video/audio/screenshare functions will work, but I
 haven't had an opportunity to test that.  Last but not least, after the
 <timetolive> (in seconds) expires, you will need to repeat the above
 workflow to get a new password.

 Future work could be taken to automate all of the above, of course, but I
 wanted to get eyes on this proof-of-concept.

--
Ticket URL: <https://developer.pidgin.im/ticket/17070>
Pidgin <https://pidgin.im>
Pidgin

More information about the Tracker mailing list