使用 Python 进行 SSO 的 SPNEGO(kerberos 令牌生成/验证)
我正在尝试实现一个简单的单点登录场景,其中一些参与的服务器将是 Windows (IIS) 框。 看起来 SPNEGO 是一条合理的路径。
场景如下:
- 用户使用他的用户名和密码登录我的 SSO 服务。 我使用某种机制验证他的身份。
- 稍后用户想要访问应用程序 A。
- 用户对应用 A 的请求被 SSO 服务拦截。 SSO 服务使用 SPNEGO 将用户登录到应用程序 A:
- SSO 服务访问应用程序 A 网页,获取“WWW-Authenticate: Negotiate”响应
- SSO 服务代表用户生成“授权:协商 xxx”响应,并响应应用 A。用户现已登录到应用 A。
- SSO 服务拦截对应用 A 的后续用户请求,在将这些请求传递给应用 A 之前将授权标头插入其中。
- 用户对应用 A 的请求被 SSO 服务拦截。 SSO 服务使用 SPNEGO 将用户登录到应用程序 A:
这听起来正确吗?
我需要两件事(至少我现在能想到的):
- 代表用户生成“授权:协商xxx”令牌的能力,最好使用Python
- 在Python中验证“授权:协商xxx”标头的能力(用于项目的后续部分)
I'm attempting to implement a simple Single Sign On scenario where some of the participating servers will be windows (IIS) boxes. It looks like SPNEGO is a reasonable path for this.
Here's the scenario:
- User logs in to my SSO service using his username and password. I authenticate him using some mechanism.
- At some later time the user wants to access App A.
- The user's request for App A is intercepted by the SSO service. The SSO service uses SPNEGO to log the user in to App A:
- The SSO service hits the App A web page, gets a "WWW-Authenticate: Negotiate" response
- The SSO service generates a "Authorization: Negotiate xxx" response on behalf of the user, responds to App A. The user is now logged in to App A.
- The SSO service intercepts subsequent user requests for App A, inserting the Authorization header into them before passing them on to App A.
- The user's request for App A is intercepted by the SSO service. The SSO service uses SPNEGO to log the user in to App A:
Does that sound right?
I need two things (at least that I can think of now):
- the ability to generate the "Authorization: Negotiate xxx" token on behalf of the user, preferably using Python
- the ability to validate "Authorization: Negotiate xxx" headers in Python (for a later part of the project)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
请查看 http://spnego.sourceforge.net/credential_delegation.html 教程。 它似乎正在做你想做的事情。
Take a look at the http://spnego.sourceforge.net/credential_delegation.html tutorial. It seems to be doing what you are trying to do.
这正是 Apple 的日历服务器所做的事情。 他们有一个用于进程的 kerberos 部分的 python gssapi 库,以便实现SPNEGO。
在 CalendarServer/twistedcaldav/authkerb.py 中查找服务器身份验证部分。
kerberos 模块(即 ac 模块)没有任何有用的文档字符串,但 PyKerberos/pysrc/kerberos.py 具有所有函数定义。
这是 svn trunks 的 URL:
http://svn.calendarserver.org/repository/calendarserver/CalendarServer/trunk
http://svn.calendarserver.org/repository/calendarserver/PyKerberos/trunk
This is exactly what Apple does with its Calendar Server. They have a python gssapi library for the kerberos part of the process, in order to implement SPNEGO.
Look in CalendarServer/twistedcaldav/authkerb.py for the server auth portion.
The kerberos module (which is a c module), doesn't have any useful docstrings, but PyKerberos/pysrc/kerberos.py has all the function definitions.
Here's the urls for the svn trunks:
http://svn.calendarserver.org/repository/calendarserver/CalendarServer/trunk
http://svn.calendarserver.org/repository/calendarserver/PyKerberos/trunk
我一直在寻找类似的东西(在 Linux 上)很长一段时间,这使我多次访问此页面,但没有给出答案。 所以这是我的解决方案,我想出了:
网络服务器是带有 mod_auth_kerb 的 Apache。 它已经在 Active Directory 中运行,单点登录设置已经有一段时间了。
我之前已经能够做到的事情:
sspi.ClientAuth("Negotiate", targetspn="http/%s" % host)下面的代码片段完成了这个难题(和我的需求),让 Python 在 Linux 上使用 Kerberos 单点登录(使用 python- gssapi):
I've been searching quite some time for something similar (on Linux), that has lead me to this page several times, yet giving no answer. So here is my solution, I came up with:
The web-server is a Apache with mod_auth_kerb. It is already running in a Active Directory, single sign-on setup since quite some time.
What I was already able to do before:
sspi.ClientAuth("Negotiate", targetspn="http/%s" % host)The following code snippet completes the puzzle (and my needs), having Python single sign on with Kerberos on Linux (using python-gssapi):