Ulf Dittmer wrote:
You may also want to check out the various Java SSO solutions, like OpenSSO, JOSSO and CAS
Just being a little pedantic here but the term Single Sign-On (SSO) is highly overloaded so I want to clarify how our SSO solution (
http://www.ioplex.com/jespa.html) is completely different from the SSO solutions you cite above.
Many browsers support the WWW-Authenticate: NTLM and WWW-Authenticate: Negotiate authentication mechanisms that transparently authenticate clients using their workstation credentials in an IntrAnet environment. For example, our product specifically targets clients on a Microsoft Active Directory network where workstations are "joined" to a domain and domains have "trusts".
The important part about this type of SSO is that users only enter their password a
single time when they log into their workstation a la Ctrl-Alt-Del. Then when they visit a site running our Filter they go right in and it automatically knows who they are (and has their fully expanded list of group SIDs which makes group based access checks extremely fast). And if they do need to enter a password (because they're not joined to the domain or because they want to change their identity), the password is never even transmitted over the network. A nonce that is encrypted by the browser with the password is transmitted in stead. This type of authentication us much more secure. Actually one of the key things about our solution is that it supports NTLMv2 and other features that are required by the security policies of financial institutions and governments.
The solutions you cite use HTTP redirection to direct the client to a central server for authentication and then redirect the client back to the target site. So those solutions are only necessary in an IntErnet environment where the client is not already associated with a central authority. And even on the IntErnet, the WWW-Authenticate: NTLM method is superior for the authentication step.