我目前正在尝试扩展我们的 SSO 解决方案。我的公司使用在 Tomcat 上运行的 JOSSO 服务器来为用户启用单点登录。现在我想使用用户的 Windows 凭据自动登录到 JOSSO 服务器。我研究了各种方法,即。 Kerberos、Spnego 和 Windows 集成身份验证,但我不知道它们如何协同工作。
谁能告诉我我需要哪些物理组件以及它们如何粗略地相互通信?
最佳答案
物理组件及其协同工作应在此处可见:
http://www.josso.org/confluence/display/JOSSO1/Architecture+Overview
由于 Kerberos 在 Windows 中与 NTLM 混合
https://en.wikipedia.org/wiki/NT_LAN_Manager#Availability_and_use_of_NTLM
Microsoft has added the NTLM hash to its implementation of the Kerberos protocol to improve inter-operability
实际 SSO 技术在其下运行的用法可能并不明显。
您应该对以下页面感到满意,例如:
Testing Windows Authentication Log-in to a Windows workstation associated with the Active Directory domain using the previously created account (i.e. user1). Open an Internet Explorer instance and access a JOSSO-protected resource URL. You should be granted access to the protected resource transparently without any prompt for username and password.
Normally you will install an agent in each container that will host SSO partner applications. For example, if you have applications deployed on Tomcat and JBoss, you will have to install an agent in each container. Agents are part of the Service Provider (partner application) runtime environment.
Using this configuration you can set : The Gateway Login URL, where the Single Sign-On Agent will redirect the user on protected resource access request so that he can authenticate. The Gateway Logout URL, where the Single Sign-On Agent will redirect the user on logout request. The concrete Service Locator to be used to invoke the services of the Single Sign-On Gateway. The Single Sign-On partner applications This configuration file defines only one partner application associated with the /partnerapp web context. This means that the web application associated with the /partnerapp web context will be put behind the Single Sign-On. You can define other partner applications.
关于tomcat - 在 JOSSO 服务器上使用 Windows 凭据进行单点登录,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/22194082/