Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-4923

Update Windows Desktop SSO module to allow whitelisting Kerberos realms/KDCs

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 12.0.0
    • Fix Version/s: 11.0.3, 12.0.1, 13.0.0
    • Component/s: authentication
    • Labels:
    • Environment:
      java version "1.7.0_67"
      Apache Tomcat 7.0.37
      OpenAM 12.0.0-SNAPSHOT Build 11345 (2014-November-06 21:12)
    • Support Ticket IDs:

      Description

      Use-Case: Multiple-Kerberos Domains; Cross-Domain-Trust; similar multiple AD-Domains, say 'Domain A' and 'Domain B'.

      Domain A needs to trust Domain B to grant access to resources (e.g. Windows shares).

      However it should only be possible to use Kerberos tickets from Domain A to be authenticated at OpenAM.

      AND

      authentication module must fail if a Kerberos ticket from another domain is used to be able to use a proper auth chain.

      Currently OpenAM WDSSO module will just validate the ticket and authentication will be successful as long as any ticket is valid.

      using 'profile lookup' feature together with 'Return Principal with Domain Name' are not sufficient to fulfill the 2nd requirement

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bthalmayr Bernhard Thalmayr
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: