OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier andKerberos authentica tion

> Do you mean the "kerberos user" quite blatantly gives his kerberos name
> AND PASSWORD to the web server? And then the web server gets the TGT from
> the KDC AS service in the name of the kerberos user?

Sure, that's how the vast majority of web SSO systems work if the
authentication source is Kerberos. Obviously Kerberos is fairly incidental
in that environment; a password database is just as good (or bad).

Ideally that traffic is confined to a single trusted server that doesn't
host applications, just the weblogin process. In practice, people do
basic-auth over SSL to Kerberos all over, all the time.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]