[30131] in Kerberos
Re: SSO
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Fri Jul 18 16:42:19 2008
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
Date: Fri, 18 Jul 2008 18:03:55 +0200
Message-ID: <bgr6l5-dfp.ln1@nb2.stroeder.com>
Mime-Version: 1.0
X-Complaints-To: usenet-abuse@t-online.de
In-Reply-To: <mailman.189.1216395696.2966.kerberos@mit.edu>
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Simon Wilkinson wrote:
>
> On 18 Jul 2008, at 12:13, Michael Ströder wrote:
>> Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought
>> it's just a service ticket.
>
> SPNEGO is a GSSAPI mechanism, wrapping the Kerberos one. If you set the
> deleg_creds flag when calling into the API, then a TGT will be included.
Which entity has to set this flag when calling into the API? The web
browser or the web server?
My goal when doing SSO for web applications is that I don't trust the
web applications so much not to reveal the user's credentials.
Ciao, Michael.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
