Is Kerberos a good solution for web-single signon
Christopher Kranz
clk at princeton.edu
Fri Mar 12 19:58:26 EST 2004
bisibis at pt.lu (paul b) wrote in message news:<1f716d42.0403090729.1755f1a at posting.google.com>...
> Hello,
> I am currently developping a "web single signon"-system and I am
> thinking about using Kerberos for this propose
>
[snip]
>
> Perhaps someone can tell me if Kerberos is really a good solution for
> web-single signon(and fully transparent to end-users) or if there are
> more simple possiblities like for example installing a "reverse
> proxy"?
>
I was wondering the same thing. In fact I started a simular thread a
little while ago. The short answer is no, not really. And the reason
is, HTTP is a stateless protocol. You would need to generate a new
authenticator for each and every connection. Kerberos kind of assumes
that once a session is started the connection is persistant.
See UWash's pubcookie (http://www.pubcookie.org/) or Stanford's
WebAuth (http://webauthv3.stanford.edu/) for examples of WebISO
solutions.
Christopher Kranz
clk at princeton.edu
More information about the Kerberos
mailing list