[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSO possible with web apps?

Milan Andric wrote:
in http authentication there is something called realms that helps with
this problem. i don't know how it applies to various applications though,
and is probably independent of openldap?

A web server can be configured to use an LDAP server for all authentication, but if a user authenticates to the web server that does not mean that calls to the directory server initiated by a web application will be passed under the authority of those credentials. It general, web applications only have access to the identity of the user after authenticating to a web server, but not the password (I'd be interested to know of any exceptions).

It is possible within the application layer to store authentication credentials (not recommended) or authenticated connections to the directory for all subsequent actions in a session. You can even pool authenticated connections and pass them out to disparate processes, but then security is a bigger consideration that's pushed out to the level of application details.

If you want to control who can access the web application, use web server authentication. If you want to perform lots of functions through web applications, you will no doubt be authenticating to one or all of them. You can do both, which I guess is at best DSO :)

I don't currently support SSO in my own gateway


since I wanted it to be a natural conduit between asynchronous http and ldap, but there is nothing in my software framework that would preclude you from doing so and a lot to make it easy. The requirement is on my horizon, for sure.

Jon Roberts