From owner-freebsd-questions@FreeBSD.ORG Thu Jul 16 16:40:00 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C3E6106564A for ; Thu, 16 Jul 2009 16:40:00 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: from mail-yx0-f181.google.com (mail-yx0-f181.google.com [209.85.210.181]) by mx1.freebsd.org (Postfix) with ESMTP id 446E18FC1A for ; Thu, 16 Jul 2009 16:40:00 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: by yxe11 with SMTP id 11so378097yxe.3 for ; Thu, 16 Jul 2009 09:39:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=SLkc9VPrE2A/u4BujVOBghKfgZZGtr77wcIooP/eAM4=; b=hpR3ShjjMZEyPHCZYo0urXp+z/1HU2G2XJRxKZuXQ1pzt1dCpeMCquFQ/ScG3pQ/XK 5s5h24Ehi9k5mi4RxK+ydf0YJPIXq9wJN/u5hjP8wGEexBPvLWVLg8BwfAwx7g8bbjlA sQl7unbBdkeArCtnZP+7L4NRjzIDN8hLsn/yw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=OreNlczxu7/yQKfOTdbOI3XuFDhyMJPqM29l0mdx6CYLRTAQIvC0VXBuEcPNZTNQfU i3KQ0IZ2CzKT9fEoJGqR8fSYDpkjKdqUaKWXi1YgoOBiP56a4WQ/IlYQ2pIgZ96Sg65p m8dZIbvHiFpotMGRL0TjEw15t6IVig2g5H8Ig= MIME-Version: 1.0 Received: by 10.100.120.5 with SMTP id s5mr12065219anc.168.1247762399740; Thu, 16 Jul 2009 09:39:59 -0700 (PDT) In-Reply-To: <20090716105439.2efdc1bf.wmoran@potentialtech.com> References: <9AA14F8C-6061-4E64-895A-C8D047F40A74@identry.com> <20090716105439.2efdc1bf.wmoran@potentialtech.com> Date: Thu, 16 Jul 2009 10:39:59 -0600 Message-ID: From: Tim Judd To: Bill Moran Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: John Almberg , freebsd-questions@freebsd.org Subject: Re: SSO solution in ports? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 16:40:00 -0000 On 7/16/09, Bill Moran wrote: > In response to John Almberg : > >> I am trying to build a set of web applications that are accessed >> through a web portal that uses a Single Sign On (SSO) solution. >> Problem is, there are MANY competing SSO solutions. Since building >> the client side of the SSO system is more than enough for me, I was >> wondering if there are any SSO servers in ports that I can just >> install and use? A CAS solution would be the best, but I'll look at >> anything. > > The most widely supported I know of is LDAP, and OpenLDAP works pretty > well. Kerberos (4 or 5) is synonymous with single sign on. Kerberos support is not as integrated with services as LDAP is. I am almost the paranoid security type and I don't know if SSO is really a "good idea" (TM). You obtain someone's *weak* password because they don't want complexity, now the systems are wide open to them. System Login/Email are the two that bug me most. "If I have your system login password, I have your email password too. Then anything else you hook into SSO is also known" So I battle myself every day with the mindset if SSO is truly a worthwhile thing to look at, or if it should be at *most* two SSOs, one for system login, one for "everything else" Sorry to pull off on that tangent, but it seems nobody considers the downside to SSO, and it's been nagging at me. --Tim