SSO
Russ Allbery
rra at stanford.edu
Fri Jul 18 22:40:45 EDT 2008
"Michael B Allen" <ioplex at gmail.com> writes:
> Your choices are based on necessity, not trust. If the web application
> needs delegated credentials (e.g. to authenticate as the user with
> another tier), then you need to send the TGT [1].
Unless you use a system such as WebAuth or Cosign that supports limited
delegation, in which case you can send only exactly the credentials that
the web application needs.
> [1] Kerberos provides other ways to limit how the TGT can be used and to
> proxy service tickets and such but I don't think browsers have support
> for such things yet.
They don't so far as I know. Delegation in all the current browsers is an
all-or-nothing affair.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list