On Thu, Jul 17, 2008 at 11:01 AM, Sharad Desai <[EMAIL PROTECTED]> wrote: > Hello, > > Thanks for your responses. > >> You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS >> have SPNEGO built in, and can use the Kerberos in Active Directory. >> Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any > platform >> see the about:config and the network.negotiate-auth.trusted-uris option. > > I would have definitely considered this, but the group that I am working > with does not want to include AD in any solution. > > Also, (I'm not sure how familiar people are with Cosign) since Cosign > transforms Kerberos authentication to a cookie-based authentication which > the browsers can use, I was wondering if you have had any experience with > this.
When trying to determine the right SSO solution for your web applications, it is important to realize that the mode of operation behind solutions that call themselves "SSO" varies tremendously so you really need to carefully state your requirements. For example, you mentioned WebAuth and CoSign. Both of these solutions are really targeted for highly heterogeneous environments like University networks where the only client requirement is that the browser support cookies. So it works on the IntrAnet, the IntErnet, on a hostile dormitory network, a kiosk at the airport, ...etc. But if you don't have those requirements these solutions do have quite a bit of overhead with all the redirecting and, more important, they do not give you true single-sign-on behavior. They're more like "double sign on" because you have to login to a central server and they get redirected back to the target site. Then you have "SSO" solutions like OpenID which are really more like "triple sign on" since you have to login to your workstation, then to the OpenID service and then put in the OpenID service you're using at the target site. This scenario is really only for the IntErnet where there is no chance of the client and service being members of the same domain. For a strictly IntrAnet environment the WWW-Authenticate: Negotiate or NTLMSSP protocols used by IIS, mod_auth_kerb, Plexcel, JCIFS and others are the only true *Single* Sign On solutions where the clients existing credentials are used to transparently authenticate without requiring the user to enter a password. These use either the original WWW-Authenticate: NTLM protocol (obsolete), raw NTLMSSP (rare), raw Kerberos 5 (rarer) or SPNEGO (very common - used to "negotiate" either NTLMSSP or Kerberos 5). Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
