SPNEGO(Kerberos令牌生成/验证)的使用Python SSO [英] SPNEGO (kerberos token generation/validation) for SSO using Python
问题描述
我试图实现一个简单的单点登录方案,其中一些参与的服务器将是窗口(IIS)框。它看起来像SPNEGO是这是一个合理的路径。
I'm attempting to implement a simple Single Sign On scenario where some of the participating servers will be windows (IIS) boxes. It looks like SPNEGO is a reasonable path for this.
下面的情况:
- 在使用自己的用户名和密码,我的SSO服务用户登录。我使用一些机制验证了他。
- 在一段时间以后,用户想要访问应用程序A.
- 的应用程序中的用户的请求由SSO服务截获。 SSO服务使用SPNEGO登录用户到应用程序中的:
- 在SSO服务打在App一个网页,在获得WWW身份验证:协商回应
- 在SSO服务生成一个授权:协商XXX代表用户的响应,响应应用程序答:现在的用户登录到应用程序中的 。
- User logs in to my SSO service using his username and password. I authenticate him using some mechanism.
- At some later time the user wants to access App A.
- The user's request for App A is intercepted by the SSO service. The SSO service uses SPNEGO to log the user in to App A:
- The SSO service hits the App A web page, gets a "WWW-Authenticate: Negotiate" response
- The SSO service generates a "Authorization: Negotiate xxx" response on behalf of the user, responds to App A. The user is now logged in to App A.
这听起来吗?
我需要两样东西(至少我现在能想到的):
I need two things (at least that I can think of now):
- 要生成的能力授权:协商XXX令牌代表用户,$ P $的pferably使用Python
- 来验证授权:协商XXX的能力头在Python(对于该项目的后期)
推荐答案
这正是苹果确实有其日历服务器。它们具有蟒GSSAPI 的库的过程中的Kerberos部分,以便实施的 SPNEGO 。
This is exactly what Apple does with its Calendar Server. They have a python gssapi library for the kerberos part of the process, in order to implement SPNEGO.
查找CalendarServer / twistedcaldav / authkerb.py服务器身份验证部分。 在Kerberos模块(这是AC模块),没有任何有用的文档字符串,但PyKerberos / pysrc / kerberos.py拥有所有的函数定义。
Look in CalendarServer/twistedcaldav/authkerb.py for the server auth portion. The kerberos module (which is a c module), doesn't have any useful docstrings, but PyKerberos/pysrc/kerberos.py has all the function definitions.
这里的网址为SVN主干:
http://svn.calendarserver.org/repository/calendarserver/CalendarServer/trunk
http://svn.calendarserver.org/repository/calendarserver/PyKerberos/trunkHere's the urls for the svn trunks:
http://svn.calendarserver.org/repository/calendarserver/CalendarServer/trunk
http://svn.calendarserver.org/repository/calendarserver/PyKerberos/trunk这篇关于SPNEGO(Kerberos令牌生成/验证)的使用Python SSO的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
- The user's request for App A is intercepted by the SSO service. The SSO service uses SPNEGO to log the user in to App A:
- 的应用程序中的用户的请求由SSO服务截获。 SSO服务使用SPNEGO登录用户到应用程序中的: