Cross Browser SSO?
Harald Strack
hstrack at ssystems.de
Thu May 9 04:59:19 EDT 2019
Hi Scott,
thank you for the quick answer!
>
>> Has anyone ever tried to accomplish such a workflow? In short: is there
>> a decent way to achieve a SSO between two browsers or a rich client
>> application and a browser?
>
> That's what SPNEGO is, desktop authentication.
Yes, we already implemented SPNEGO on the Shibboleth IDP in AD
environments, this would work. Great Feature for on-campus SSO. However,
in our CASE there will be no Kerberos available, so we think about a
more general solution. Let me try to explain another possible (?)
approach based on a token authentication in a slightly more precise way:
1) The user authenticates in any browser or via ECP and the application
behind the SP issues a JSON Web Token
2) This token will be saved on the client workstation
3) Then, in the second browser we call a url like
https://app.any.where?token=<token> and this URL is Shibboleth
protected, onother SP
4) As described in
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionCreationParameters
we set a template for the AuthNrequest that contains the JSON web Token
(example available?)
5) The SP initiates in the second browser an SSO with
authnContextClassRef "jsonwebtoken"
6) On the IDP we implement an External LoginFLow or Function
(https://wiki.shibboleth.net/confluence/display/IDP30/FunctionAuthnConfiguration,
examples available?) that handles the specific authnContextClassRef
7) The Implementation of this Login Flow will verify the token from the
AuthnRequest and log the user in
Voila, SSO accomplished. What do you think? Would this be a decent
working architecture or should we avoid such a solution?
br
Harald
--
Harald Strack
Geschäftsführer
ssystems GmbH
Kastanienallee 32
10435 Berlin
Tel: +49 30 2023 6071 - 1
https://www.ssystems.de
More information about the users
mailing list