[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSO possible with web apps?
Milan Andric wrote:
in http authentication there is something called realms that helps with
this problem. i don't know how it applies to various applications though,
and is probably independent of openldap?
A web server can be configured to use an LDAP server for all
authentication, but if a user authenticates to the web server that does
not mean that calls to the directory server initiated by a web
application will be passed under the authority of those credentials. It
general, web applications only have access to the identity of the user
after authenticating to a web server, but not the password (I'd be
interested to know of any exceptions).
It is possible within the application layer to store authentication
credentials (not recommended) or authenticated connections to the
directory for all subsequent actions in a session. You can even pool
authenticated connections and pass them out to disparate processes, but
then security is a bigger consideration that's pushed out to the level
of application details.
If you want to control who can access the web application, use web
server authentication. If you want to perform lots of functions through
web applications, you will no doubt be authenticating to one or all of
them. You can do both, which I guess is at best DSO :)
I don't currently support SSO in my own gateway
http://www.mentata.com/ldaphttp/sdd/
since I wanted it to be a natural conduit between asynchronous http and
ldap, but there is nothing in my software framework that would preclude
you from doing so and a lot to make it easy. The requirement is on my
horizon, for sure.
Jon Roberts
www.mentata.com