Which handler LDAP SSO - NOW kerberos integration
Douglas E Engert
deengert at gmail.com
Wed Nov 19 15:08:31 EST 2014
On 11/19/2014 11:18 AM, Cantor, Scott wrote:
> On 11/19/14, 4:21 PM, "Morris, Andi" <amorris at cardiffmet.ac.uk> wrote:
>> It's very surprising to me that there isn't a more "out of the box"
>> solution for integrated Kerberos login with Shibboleth. I do appreciate
>> the open source nature of the software however.
> Use of desktop authentication on the web is very uncommon and is
> half-baked, with untenable error handling behavior, and operates with
> assumptions that don't hold in any large campus environments.
When 95% of you users have already loged in to Windows AD and 95% the web sites that use
SAML are applications outsourced to the cloud, using the desktop authentication
makes a lot of sense.
The patch to the kerberos-login-handler, addressed what I
would have called an error handling problem. If the "WWW-Authenticate"
looked like it was looping, the applet would call flushResponse. The
patch allowed the kerberos-login.inc.jsp to detect this and and turn off autologin,
and give the user another chance at a different type of login.
Unfortunately the SWITCH people did not do anything with the patch.
> If it were
> clean and failed gracefully, there would be more support for it. As it is,
> it's a mini-project to come up with anything tenable, and whatever we did
> would meet only a subset of enviromments' requirements.
> Compare that to a form that accepts passwords.
At my former employer's site, a single login page gave the user choices between
using user/password, or "Advanced Log In Methods". These advanced methods were
X509 (either smart cards, or Windows AutoEnroll certificates) or "Integrated Log In"
i.e. the Kerberos-Login-Handler. With a checkbox a user could set the autologin cookie,
to start with "Integrated Log In" the next time to avoid the login page in the future.
The patch to the Kerberos-Login-Handler would turn off the
autologin if it failed.
I believe this patch and combined login.jsp got around many of the issues you are referring to.
> Add in that using desktop authentication makes web logout even more
> impossible than it already is (and yet people still ask for it), and it
> renders features like forced authentication impossible. There are reasons
> why it doesn't fit well.
> -- Scott
Douglas E. Engert <DEEngert at gmail.com>
More information about the users