On Wed, Sep 7, 2011 at 8:15 PM, Matthew Frazier < mlfrazie@ncsu.[redacted] > wrote:

Hey, everyone. I'm sure you're familiar with the WRAP system that is used as a single sign on system at NC State. A problem with WRAP is that it only works on ncsu.edu domains, so I created something to fix that…UnWRAP.

UnWRAP isn't quite single sign on, but it's close. On a site that uses UnWRAP, when the user clicks "Log In," they are bounced to the UnWRAP site (which is currently on people.engr.ncsu.edu - does Short have mod_auth_wrap installed?) with a bunch of query string parameters in their URL (all signed with a secret key using HMAC-SHA-1, of course). UnWRAP checks that they are properly logged in with WRAP, verifies that a legitimate site is requesting their identity, and sends them back to the return URL provided by the original site, with their Unity username and some verification info in the query string.

You can test out UnWRAP and see how it works at http://unwraptest.ep.io/ - I'll release the source to the demo, the Python library I wrote, and UnWRAP itself later once I get everything cleaned up. For now, just tell me what you think of the idea, feel free to ask questions, and let me know if it breaks.

Thanks,
Matthew Frazier
North Carolina State University