Wednesday Jun 30, 2004

VPN Single Sign On

Juniper has introduced a single-sign on VPN product, according to news.com.

They are using SAML and SSL and are calling it an "SSL VPN" with single-sign on. I'm wondering just what this really means.

Its not an IPsec VPN, it claims to be an application layer, SSL-based VPN. Hmmm, I'm curious to see details on this. Does the SSO extend inside the network to things like Mail servers, LDAP directory access, host access (via rlogin, ssh, telnet), FTP servers? Or - does it just cover basic stuff that is already SAML enabled.

Anyone with a clue - drop a comment below and help me fill in the blanks.

Friday Jun 25, 2004

SingleSignOn for the Web

Microsoft has included the ability for Web servers and web browsers (as long as they are IIS and IE) to do secure single-sign on authentication using Kerberos tickets since the introduction of Windows 2000.

The Unix world seems to finally be catching up. Mozilla 1.7 has the necessary authentication support to respond to the authentication request sent by the server. As long as the user already has a Kerberos ticket (TGT) and the client system is configured to talk to the correct KDC, then the browser should be able to exchange the SSO credentials securely, just as Internet Explorer does. There are also GSSAPI authentication plugins available for Apache web server's so that Unix server's can participate.

Whats the benefit? The benefit is that no longer is it necessary to constantly keep re-entering username/password combinations when accessing secure web sites. The authentication exchange happens without user intervention and access is either granted or denied automatically, depending on the authoriZation policy of the site being accessed. The data exchanged is not replayable by someone who snoops it as the GSSAPI and Kerberos authentication protocols have built-in replay protection. Additionally, it is highly recommended that the authentication exchange be protected by SSL.

Mostly this is useful for intranet applications (as opposed to internet) - think of all the internal websites that your company may offer and the various username/passwords you have to enter when accessing these resources. By implementing web-based SSO, the need for all of these name/password forms would be eliminated and people don't have to remember lots of different passwords or re-use their same password all over the place.

Solaris 10 (try it today! ) has all of the pieces needed to do web-based SSO - Kerberos, GSSAPI, SPNEGO, Mozilla, and Apache.

About

wyllys

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today