[30116] in Kerberos
Re: SSO
daemon@ATHENA.MIT.EDU (Michael B Allen)
Thu Jul 17 21:39:53 2008
Message-ID: <78c6bd860807171832rf80d2d7yd8521e4228ddc32b@mail.gmail.com>
Date: Thu, 17 Jul 2008 21:32:24 -0400
From: "Michael B Allen" <ioplex@gmail.com>
To: "Russ Allbery" <rra@stanford.edu>
In-Reply-To: <87r69s86z9.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery <rra@stanford.edu> wrote:
>> And that is the scenario where direct SPNEGO / NTLMSSP solutions are
>> going to perform better.
>
> If by "better" you mean "pretty much the same," yes, modulo the
> configuration note that I mentioned.
No, I definitely meant "better".
With direct SPNEGO we 401 the initial HTTP request, accept one GSSAPI
token and get a TGT.
With something like WebAuth, the client is redirected to a central
server, then you have to do all of the above (or an explicit login
which is more stuff) and then redirect the client back to the original
target (and this doesn't include getting a TGT on the target server).
With Plexcel we can do SPNEGO, check group membership (we extract the
group SIDs from the PAC), app-level access to basic user info and a
get TGT without talking to a third party at all. The time between the
initial HTTP request and the 200 response is less than 20 ms (or ~50
ms if the user is in a few hundred groups).
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
