5

Don't you just hate it when your password explodes, letting the magic smoke out of your server, and setting lp0 ablaze?

In all seriousness, the number of places a person needs a username and password is increasing dramatically. It looks like OpenID won't be solving the problem in the near future, and Single Sign-On seems more like a goal than a reality internally, even disregarding the great big net out there.

I just came from a meeting wherein I was told that we've paid for access to several external sites, and want to lower the bar and increase the likelihood that staff (and students) will make use of these resources. Those speaking felt that our top five- to ten-percent of users might make use of the sites, but if we could provide a way to log people in to the sites (and give them a launching-off page) that the uptake might increase dramatically (and that we could save tech support money but not having to help people when they forget their passwords.)

What are you doing about this problem in your organization? Are there any sensible approaches?

Clinton Blackmore
  • 3,510
  • 6
  • 35
  • 61

5 Answers5

3

Kerberos gets you 90% there. Then you've got to get your browsers passing kerberos tokens to internal websites (look in about:config on Mozilla variants, search for "nego" to see the preferences).

After that, RADIUS-type authentication for the things that require passwords, or LDAP.

Bill Weiss
  • 10,782
  • 3
  • 37
  • 65
  • Do these aid in authenticating to external systems at all? – Clinton Blackmore Jun 03 '09 at 20:40
  • 1
    Well, matters how much those external systems are willing to do to authenticate against you. Lots will do some sort of remote auth (LDAP, RADIUS, some kind of web callback) if you ask right. – Bill Weiss Jun 03 '09 at 21:17
  • 1
    Ditto. We've built our network from the ground up to authenticate everything possible against a directory server. Kerberos works for most things, LDAP login with the same credentials for anything that doesn't support Kerberos. Many external services will either let you proxy the authentication back to your own servers, or else set up a proxy. The users sign on to your proxy page and then it forwards the credentials or some kind of authorization token to the external service. – Kamil Kisiel Jun 03 '09 at 23:01
2

We're making extensive use of the Central Authentication Service (wikipedia entry). It has plug-ins for a lot of things, and we've managed to use it for services that have separate identity information per-user. I believe it can also be used for services where there is a generic login to a site.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
0

There is the keepass option. Keepass can open a website, tab to the correct login fields, type in your username and password and press enter all in one easy click. Put a pre-filled keepass DB on a pendrive and give them to your users, they can store their own passwords in there too.

It might not be good enough for a web-based login system for thousands of users, but it might make users more comfortable that their passwords are secure (and is still a great solution for individual users).

gbjbaanb
  • 3,852
  • 1
  • 22
  • 27
0

Have a look at Sun's Identity Management package OpenSSO. I believe there is a piece that allows you to create an internal SSO infrastructure that will sign users onto extranet apps. I'm not 100% positive, but it looks to be open source and maybe free.

squillman
  • 37,618
  • 10
  • 90
  • 145
0

If the various tools/sites/services support LDAP, while logins may be required, at least they'll be authenticating back to you OpenLDAP or Active Directory infrastructure, so the username and password won't be "new".

warren
  • 17,829
  • 23
  • 82
  • 134