Microsoft has included the ability for Web servers and web browsers (as long as they are IIS and IE) to
do secure single-sign on authentication using Kerberos tickets since the introduction of Windows 2000.
The Unix world seems to finally be catching up. Mozilla 1.7 has
the necessary authentication support to respond to the authentication request sent by the server.
As long as the user already has a Kerberos ticket (TGT) and the client system is configured to talk
to the correct KDC, then the browser should be able to exchange the SSO credentials securely, just
as Internet Explorer does. There are also GSSAPI authentication plugins available for
Apache web server's so that Unix server's can participate.
Whats the benefit? The benefit is that no longer is it necessary to constantly keep re-entering
username/password combinations when accessing secure web sites. The authentication exchange
happens without user intervention and access is either granted or denied automatically,
depending on the authoriZation policy of the site being accessed. The data exchanged is
not replayable by someone who snoops it as the GSSAPI and Kerberos authentication protocols
have built-in replay protection. Additionally, it is highly recommended that the
authentication exchange be protected by SSL.
Mostly this is useful for intranet applications (as opposed to internet) - think of all the
internal websites that your company may offer and the various username/passwords you have
to enter when accessing these resources. By implementing web-based SSO, the need for all
of these name/password forms would be eliminated and people don't have to remember lots of
different passwords or re-use their same password all over the place.
Solaris 10 (try it today! )
has all of the pieces needed to do web-based SSO - Kerberos, GSSAPI, SPNEGO, Mozilla, and Apache.