Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-4923

Update Windows Desktop SSO module to allow whitelisting Kerberos realms/KDCs

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 12.0.0
    • Fix Version/s: 11.0.3, 12.0.1, 13.0.0
    • Component/s: authentication
    • Labels:
    • Environment:
      java version "1.7.0_67"
      Apache Tomcat 7.0.37
      OpenAM 12.0.0-SNAPSHOT Build 11345 (2014-November-06 21:12)
    • Rank:
      1|hzouen:
    • Support Ticket IDs:

      Description

      Use-Case: Multiple-Kerberos Domains; Cross-Domain-Trust; similar multiple AD-Domains, say 'Domain A' and 'Domain B'.

      Domain A needs to trust Domain B to grant access to resources (e.g. Windows shares).

      However it should only be possible to use Kerberos tickets from Domain A to be authenticated at OpenAM.

      AND

      authentication module must fail if a Kerberos ticket from another domain is used to be able to use a proper auth chain.

      Currently OpenAM WDSSO module will just validate the ticket and authentication will be successful as long as any ticket is valid.

      using 'profile lookup' feature together with 'Return Principal with Domain Name' are not sufficient to fulfill the 2nd requirement

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              bthalmayr Bernhard Thalmayr
              Reporter:
              bthalmayr Bernhard Thalmayr
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: