Windows Desktop SSO

This module is specific to Windows and is also known as Kerberos authentication. The user presents a Kerberos token to Access Manager through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol. The Windows Desktop SSO authentication plug-in module provides a client (user) with desktop single sign-on. This means that a user who has already authenticated with a key distribution center can be authenticated with Access Manager without having to provide the login information again. The Windows Desktop SSO attributes are global attributes. The attributes are:

• Service Principal

• Keytab File Name

• Kerberos Realm

• Kerberos Server Name

• Return Principal with Domain Name

• Authentication Level

Service Principal

Specifies the Kerberos principal that is used for authentication. Use the following format:

HTTP/hostname.domainname@dc_domain_name

hostname and domainame represent the hostname and domain name of the Access Manager instance. dc_domain_name is the Kerberos domain in which the Windows 2000 Kerberos server (domain controller) resides. It is possibly different from the domain name of the Access Manager.

Keytab File Name

This attribute specifies the Kerberos keytab file that is used for authentication. Use the following format, although the format is not required:

hostname.HTTP.keytab

hostname is the hostname of the Access Manager instance.

Kerberos Realm

This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the Access Manager domain name.

Kerberos Server Name

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Return Principal with Domain Name

If enabled, this attributes allows Access Manager to automatically return the Kerberos principal with the domain controller's domain name during authentication.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.