[Freeipa-users] Does FreeIPA support web services SSO gracefully?
Rob Crittenden
rcritten at redhat.com
Fri May 4 15:26:29 UTC 2012
cee1 wrote:
> 2012/5/4 Paul Robert Marino<prmarino1 at gmail.com>:
>> There is a apache module for kerberos auth that works well two notes about
>> it turn on credential caching because it significantly reduces the load on
>> the kerberos server and keep in mind that internet explorer leaves native
>> kerberos on (you won't get prompted for a user name or password if you hve a
>> valid kerberos ticket) but firefox turns it off by default and I'm not sure
>> about crome. In other words if you leave the default setting in firefox it
>> will use basic auth (clear text password unless you use ssl) to interact
>> with apache and subsequently kerberos. This is a wonderfull way to make a
>> secure authentication mechanisim insecure if you don't use ssl.
>> That said I know for a fact track does work well with kerberos auth.
> That means if user's browser doesn't support kerberos or with kerberos
> off by default, it will break SSO, right?
>
> Maybe I should try FreeIPA in conjunction with CoSign?
Firefox needs to be configured to be allowed to perform Kerberos SSO in
a domain. FreeIPA 2.2 introduced a forms-based login so you don't have
to fall back to basic authentication (with KrbMethodK5Passwd on).
In practice all web-based Kerberos should be protected by SSL.
rob
More information about the Freeipa-users
mailing list