<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Alessandro,</p>
<p>To be honest - I don't know much about this single sign-on on
Windows. I just noticed that with some software, one doesn't have
to login a second time. One Login into the Windows system is
enough and the other software can - somehow (I don't know how) -
authenticate the user from the Windwos-Login, without a second
log-in. But I don't know how that works.</p>
<p>It is not super important, but would be somehow convenient, if it
doesn't sacrifice security. Maybe it isn't possible at all.</p>
<p>Andreas<br>
</p>
<div class="moz-cite-prefix">Am 20.11.19 um 17:24 schrieb Alessandro
Pasotti:<br>
</div>
<blockquote type="cite"
cite="mid:CAL5Q673MrtCVC_dP-ssB2MdZxM0HHTx=qj45tHwXCvCqAbMESw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Nov 20, 2019 at 5:10
PM Andreas Neumann <<a href="mailto:a.neumann@carto.net"
moz-do-not-send="true">a.neumann@carto.net</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div
style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">
<p>Hi Jürgen,</p>
<p>I wouldn't know how this works. When I create a new PG
connection, it forces me to add a username and password.
I can't create a new connection without specifying one.
Even if the Windows password manager already knows my
windows credentials, which are the same as the PG
credentials. As a "stupid user" I would either expect:</p>
<p>- not being asked for credentials (means that QGIS
would automagically forward the Windows credentials)</p>
</div>
</blockquote>
<div><br>
</div>
<div>What if your DNS has been poisoned to hit <a
href="http://evil.hacker.com" moz-do-not-send="true">evil.hacker.com</a>
instead? Would you still want your credentials to be
automatically sent?</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div
style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">
<p>- or when creating a new auth-conf, having a choice
like "use windows credentials" and then not being asked
for username/password, because QGIS already knows it
from Windows.</p>
</div>
</blockquote>
<div><br>
</div>
<div>I don't get this point: when you enter you credentials in
the OS wallet (password manager) it does not leak them to
QGIS, or that would be another huge security hole.</div>
<div> <br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div
style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">
<p>But maybe I am just not correctly handling it.</p>
<p>The one thing I noticed is that the Windows password
manager automatically loads the master password of the
QGIS password manager. So that one seems to work.</p>
</div>
</blockquote>
<br>
</div>
<div>That's the currently supported way to manage credentials:
you store them into the encrypted QGIS auth DB and
(optionally) store the master password in your OS wallet.</div>
<div><br>
</div>
<div>In any event, the QGIS auth system is plugin based (C++
plugins) and other/custom auth methods could be developed if
needed.<br>
</div>
<div><br>
</div>
<div>Cheers<br>
</div>
<div><br>
-- <br>
<div dir="ltr" class="gmail_signature">Alessandro Pasotti<br>
w3: <a href="http://www.itopen.it" target="_blank"
moz-do-not-send="true">www.itopen.it</a></div>
</div>
</div>
</blockquote>
</body>
</html>