It's called Kerberos - because M.I.T. doesn't let anyone call their own
version "Kerberos", it is called NAS, or Network Authentication Service
on the i.
Kerberos is used by Windows network authentication. When you sign in as
part of such a network, you send credentials up to the AD server - it
sends back a Kerberos ticket that opens all your doors for you. No
passwords are spread around your enterprise, BTW.
iSeries Access has the option of using Kerberos for authentication. So
does the Apache server. And 5250 emulation. And ODBC - IIRC, FTP was
added to the mix recently - and Netserver can do it.
Kerberos is a trusted 3rd-party authentication protocol. I've likened it
to "Joe sent me" in the Prohibition speakeasy days - both you and the
drinking establishment know Joe, and the bar knows that if Joe says
you're OK, you are.
In Windows networking, "Joe" is an Active Directory server.
On IBM i, there is an additional component - EIM, or Enterprise Identity
Mapping - with other systems, the same profile is used everywhere. With
EIM, you say that your Windows user name JamesHHL is the same person
that has the IBM i profile JHHLAMB - and since the Windows user has been
authenticated by trusted 3rd party, IBM i authenticates JHHLAMB and
authorizes using that profile's settings.
There are APIs that will let you probe the EIM structure based on
getting information like the Windows principle (user) and finding which
system or app user that points to. I wrote SSO functionality in the RJS
Software WebDocs product not too many years ago.
There is an SSO 101 kind of article at developerworks, written by the
ISV support team at IBM - the guys I worked with for about a
month-and-a-half until we all understood it. It's a great article, and
if you are an ISV partner and have call-in ISV support, you can contact
them and get tons of help.
You might also talk to Pat Botz, former IBMer who was involved in
writing the EIM stuff - he is a security consultant who helps people get
set up with SSO, gives sessions at COMMON on all this.
The whole thing did not make sense for quite a while - then all of a
sudden the fog lifted and it seems it is easy. Trust me!
The idea of SSO is you log in once, then that authentication is trusted
across the entire enterprise - to apps and systems that understand it,
of course.
To get a feel for Kerberos - it really IS a very robust protocol - look
up "kerberos dialogue" in google - a Greek play in 4 acts - something
like that. Kind of fun!
HTH
Vern
On 9/11/2014 6:26 PM, James H. H. Lampert wrote:
I'll say right up front that even after looking it up in Wikipedia, I
still only have a vague idea what Single Sign On is.
A customer asked about Single Sign On in relation to our CRM product.
Could somebody please do something to relieve my complete and utter
ignorance about the subject?
--
JHHL
midrange.com
