SingleSignOn for the Web
By wyllys on Jun 25, 2004
Microsoft has included the ability for Web servers and web browsers (as long as they are IIS and IE) to do secure single-sign on authentication using Kerberos tickets since the introduction of Windows 2000.
The Unix world seems to finally be catching up. Mozilla 1.7 has the necessary authentication support to respond to the authentication request sent by the server. As long as the user already has a Kerberos ticket (TGT) and the client system is configured to talk to the correct KDC, then the browser should be able to exchange the SSO credentials securely, just as Internet Explorer does. There are also GSSAPI authentication plugins available for Apache web server's so that Unix server's can participate.
Whats the benefit? The benefit is that no longer is it necessary to constantly keep re-entering username/password combinations when accessing secure web sites. The authentication exchange happens without user intervention and access is either granted or denied automatically, depending on the authoriZation policy of the site being accessed. The data exchanged is not replayable by someone who snoops it as the GSSAPI and Kerberos authentication protocols have built-in replay protection. Additionally, it is highly recommended that the authentication exchange be protected by SSL.
Mostly this is useful for intranet applications (as opposed to internet) - think of all the internal websites that your company may offer and the various username/passwords you have to enter when accessing these resources. By implementing web-based SSO, the need for all of these name/password forms would be eliminated and people don't have to remember lots of different passwords or re-use their same password all over the place.
Solaris 10 (try it today! ) has all of the pieces needed to do web-based SSO - Kerberos, GSSAPI, SPNEGO, Mozilla, and Apache.