结合SSO附加/代替SSL [英] Incorparating SSO in addition/instead SSL

问题描述

我有一个受SSL保护的系统-客户端使用智能卡访问其证书.我使用Java的pkcs11.

我已经在这里发布了这个问题(即使有赏金): pkcs11 sso(使用以前的Windows使用智能卡登录)

相同的智能卡用于Windows登录-我想为客户端节省使用智能卡(PIN)进行重新登录的麻烦.

我已经阅读了许多有关此问题的链接，这些链接将我带到了SSO领域:NTLM，Kerberose等.

我觉得SSO对于我想要实现的目标有点过高了-而且从外观上看-至少kerberose要求我创建KDC服务器和其他新组件来延长我的开发时间.

所以-关于SSO的一些入门问题，我找不到答案:

1. 它将有效解决我提出的问题吗? (智能卡包含由CA签名的经典"证书).

2. 我想要一个最小的解决方案(就组件而言)-对此的最佳体现是什么? NTLM，Kerberose?我可能不得不使用像WAFFLE这样的jna包装器，对吗?顺便说一下，我将使用WINDOWS作为操作系统.

谢谢您的帮助.

解决方案

唯一的方法是设置Windows Active Directory(KDC impl)，以将SSO的全部功能与Kerberos一起使用.没有其他选择.不要使用NTLM，它有很多缺点.华夫饼干有其缺点.由于其性质不同，它无法集成到JGSS中，因此无法在Java中全面使用. 如果您想避免Windows服务器的许可费用，则可以尝试Samba 4，它是AD的OSS替代品.

我在公司环境中(从Windows客户端到基于Unix的服务器)已经做了多年了.

I have a system protected by SSL - and clients use a smartcard for accessing their certificate. I use java's pkcs11.

I have posted this question here (even with bounty): pkcs11 sso (using prior windows login with smartcard)

The same smartcard is used for windows login - and I would like to save the client the touble of re-logging using the smartcard (PIN).

Many links I have read about this issue led me to the world of SSO: NTLM, Kerberose etc.

I feel SSO is a bit an overspec for what I wanted to acheive - And also by the looks of it - At least kerberose requires me to create a KDC server and other new components that will elongate my development time.

So - some introductory questions about SSO I couldn't find an answer to:

1. Will it actully solve the problem I presented? (The smartcards contain "classic" certificates signed by CA).

2. I would like a minimal solution (in terms of components) - which is the best implemnation for this? NTLM, Kerberose? I will probably have to use a jna wrapper like WAFFLE, right? By the way, I will use WINDOWS as OS.

Thank you for your help.

解决方案

The only way is to set up a Windows Active Directory (a KDC impl) to use the full power of SSO with Kerberos. There is no other option. Don't use NTLM, it has a lot of drawbacks. Waffle has its drawbacks. Due its different nature, it does not integrate into JGSS and makes it unusable comprehensively in Java. If you want to avoid licensing fees for Windows server, you may try Samba 4 which is an OSS alternative to the AD.

I am doing this for years in a corporate environment from Windows client to a Unix-based server.

这篇关于结合SSO附加/代替SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！