CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos Tickets

On Mar 30, 2004, at 10:20 PM, Brett Lomas wrote:

Thanks for the reply on the hardware and all, very helpful.

glad to help. I trust Johanna's reply was helpful too?

CoSign and Kerberos question. When an application requests a Kerberos ticket
(the RETRIEVE command to cosignd) it appears to be allowed to specify the
ticket name (eg imap/ This looks to be a
service account (in the examples I have seen), does this mean that a service
ticket is passed back to the application, and not a/the TGT the cosign CGI
obtained to authenticate the user?

That's the eventual plan, Brett, but currently it is the TGT that is returned. You'll note the 0/1 in cosign.conf to determine whether a service can request Kerberos credentials? In theory this could eventually be a list of services for which a service is allowed to request service tickets (e.g. mail can ask for imap, directory can ask for ldap, etc.). We were sure, during early development, that not distributing the TGT would be a major feature requirement. So far it just hasn't been (for us, anyway).

Is this a make or break feature for your site?


Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010