Seemless Single Signon

Troy Benjegerdes hozer at hozed.org
Fri May 20 09:12:55 PDT 2005


On Fri, May 20, 2005 at 08:23:52AM -0400, Sam Ruby wrote:
> I've seen greasemonkey and bookmarklets mentioned in this mailing list, 
> but only in the context of pre-filling in fields and the like.
> 
> So much more is possible.  Much more.

Before everyone gets too excited about re-inventing the wheel, and adding
*new* browser plugins/whatever, I'd like for more people to have looked
and and understood the existing browser-based auth mechanisms that
support single sign-on.. I'm thinking of the HTTP 'negotiate' auth
protocol.. otherwise known as SPNEGO.

http://www.mozilla.org/projects/netlib/integrated-auth.html

This is supported in both Mozilla and IE. However, the really big
problem here is the backend (in this case usually kerberos), doesn't
have a particularly good model for cross-realm identification.

However, if a reasonable way to manage internet-wide cross-realm
kerberos can be dealt with, not only could it solve the "logging into 12
websites every day is lame" problem, but the "logging into 12 different
computers every day is lame" problem.

Realistically, this is probably just a blue-sky pipe dream, and we'll
probably have one solution (openid) for web apps, and another system
auth. But the problems both of these systems are trying to solve are
relatively similiar.

More kerberos info, and a good background on identity..

http://www.isi.edu/gost/brian/security/kerberos.html#whatitdoes


More information about the yadis mailing list