Single Sign-on - SSo
Single Sign-on is one of the best features ever developed. Currently I am relying on Mod_auth_kerb to get SSo support in the browser. This approach has a few drawback. Mainly:
- Not every application support Kerberos HTTP authentication (e.g. Roundcube).
- Requires a .htaccess file with auth definition for every SSo enabled application (lots of duplication).
- Retro Login field. Depending on the browser it is not always clear, if the login is posted over http or https.
Any webapplication that exports system users as OpenID Identities and enables Kerberos login would fit the best in my environment.
Shibboleth seems to be a highly advanced system, that would most definitely be overkill for my network. Several webapplications seem to support Shibboleth or require only to setup the login and logout url.
If there are not any existing OpenID providers matching my needs I will probably develop a new one. Such a system will need special care, as it is essential for the whole network security. It should probably only opened to the WWW once it is tested thoroughly for several months.
So Mod_auth_kerb will have to stay for the next few years.