Re: SSO possible with web apps?

[Jon Roberts <jon@mentata.com>]

Milan Andric wrote:
> in http authentication there is something called realms that helps with
> this problem. i don't know how it applies to various applications though,
> and is probably independent of openldap?

A web server can be configured to use an LDAP server for all 
authentication, but if a user authenticates to the web server that does 
not mean that calls to the directory server initiated by a web 
application will be passed under the authority of those credentials. It 
general, web applications only have access to the identity of the user 
after authenticating to a web server, but not the password (I'd be 
interested to know of any exceptions).

It is possible within the application layer to store authentication 
credentials (not recommended) or authenticated connections to the 
directory for all subsequent actions in a session. You can even pool 
authenticated connections and pass them out to disparate processes, but 
then security is a bigger consideration that's pushed out to the level 
of application details.

If you want to control who can access the web application, use web 
server authentication. If you want to perform lots of functions through 
web applications, you will no doubt be authenticating to one or all of 
them. You can do both, which I guess is at best DSO :)

I don't currently support SSO in my own gateway

http://www.mentata.com/ldaphttp/sdd/

since I wanted it to be a natural conduit between asynchronous http and 
ldap, but there is nothing in my software framework that would preclude 
you from doing so and a lot to make it easy. The requirement is on my 
horizon, for sure.

Jon Roberts
www.mentata.com