On 01/04/2011 06:54 PM, Russ Allbery wrote: > Brian Candler<[email protected]> writes: > >> Kerberos is a single sign-on system. You get your TGT at the start of >> the day, and then it logs you in automatically and transparently to each >> service you visit. > >> If you want the site to prompt for username/password, either initially >> or after an idle timeout, then I think it will need to do its own HTTP >> Basic authentication. > > Or you can use a web authentication system based on or capable of using > Kerberos, like: > > http://webauth.stanford.edu/ > http://cosign.sourceforge.net/ > > which offer various additional features, such as this sort of idle > timeout. Kerberos by itself is not going to provide this. > > -- > Russ Allbery ([email protected])<http://www.eyrie.org/~eagle/> > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos
We are using CoSign and it has pretty feature called re-auth. Service can request, that re-auth is needed, and user is redirected to central re-auth page. If kerberos authetication (SPNEGO) is used (or certificates, or passwords are stored in browser...) this can be automated and user may not be aware of this. So multifactor authentication comes to rescue. Some sort of OTP would be good idea, but that's kind of anti-SSO. If only one site needs this functionality, put it out of SSO realm, if multiple sites will use this, add OTP as second authentication factor. Every site can be configured which factor is mandatory/sufficient. On timeout site invalidates session and user is taken to re-auth page. OTP factor can be designed so it will not ask for password more often then once per 15 minutes, making it more SSO-like (user is not ask to rre-auth on every expired site, just on first one). Matej Zagiba ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
