<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>If you have a "clean" windows setup (i.e. both the client and
server is Windows based) you can use the SSPI single sign setup on
the server - equivalent to "Integrated security" for MS-SQLServer.
<br>
</p>
<p>In simple terms it means that your windows logon identity
automatically is reused as a postgres user identity without any
further setup. <br>
</p>
<p>Very popular with my "Always Windows-only !!" customers and a
forceful argument for switching them from MS-SQLServer to
Postgres/PostGIS for spatial data. <br>
</p>
<p><a class="moz-txt-link-freetext" href="https://wiki.postgresql.org/wiki/Configuring_for_single_sign-on_using_SSPI_on_Windows">https://wiki.postgresql.org/wiki/Configuring_for_single_sign-on_using_SSPI_on_Windows</a><br>
</p>
<div class="moz-cite-prefix">
<pre class="moz-signature" cols="72">--
Med venlig hilsen / Kind regards
Bo Victor Thomsen</pre>
</div>
<div class="moz-cite-prefix">Den 20-11-2019 kl. 22:59 skrev Andreas
Neumann:<br>
</div>
<blockquote type="cite"
cite="mid:1b5d0c9d-0736-d451-a9b3-26ceef12ce1a@carto.net">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Hi Alessandro,</p>
<p>To be honest - I don't know much about this single sign-on on
Windows. I just noticed that with some software, one doesn't
have to login a second time. One Login into the Windows system
is enough and the other software can - somehow (I don't know
how) - authenticate the user from the Windwos-Login, without a
second log-in. But I don't know how that works.</p>
<p>It is not super important, but would be somehow convenient, if
it doesn't sacrifice security. Maybe it isn't possible at all.</p>
<p>Andreas<br>
</p>
<div class="moz-cite-prefix">Am 20.11.19 um 17:24 schrieb
Alessandro Pasotti:<br>
</div>
<blockquote type="cite"
cite="mid:CAL5Q673MrtCVC_dP-ssB2MdZxM0HHTx=qj45tHwXCvCqAbMESw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Nov 20, 2019 at
5:10 PM Andreas Neumann <<a
href="mailto:a.neumann@carto.net" moz-do-not-send="true">a.neumann@carto.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div
style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">
<p>Hi Jürgen,</p>
<p>I wouldn't know how this works. When I create a new
PG connection, it forces me to add a username and
password. I can't create a new connection without
specifying one. Even if the Windows password manager
already knows my windows credentials, which are the
same as the PG credentials. As a "stupid user" I would
either expect:</p>
<p>- not being asked for credentials (means that QGIS
would automagically forward the Windows credentials)</p>
</div>
</blockquote>
<div><br>
</div>
<div>What if your DNS has been poisoned to hit <a
href="http://evil.hacker.com" moz-do-not-send="true">evil.hacker.com</a>
instead? Would you still want your credentials to be
automatically sent?</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div
style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">
<p>- or when creating a new auth-conf, having a choice
like "use windows credentials" and then not being
asked for username/password, because QGIS already
knows it from Windows.</p>
</div>
</blockquote>
<div><br>
</div>
<div>I don't get this point: when you enter you credentials
in the OS wallet (password manager) it does not leak them
to QGIS, or that would be another huge security hole.</div>
<div> <br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div
style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">
<p>But maybe I am just not correctly handling it.</p>
<p>The one thing I noticed is that the Windows password
manager automatically loads the master password of the
QGIS password manager. So that one seems to work.</p>
</div>
</blockquote>
<br>
</div>
<div>That's the currently supported way to manage credentials:
you store them into the encrypted QGIS auth DB and
(optionally) store the master password in your OS wallet.</div>
<div><br>
</div>
<div>In any event, the QGIS auth system is plugin based (C++
plugins) and other/custom auth methods could be developed if
needed.<br>
</div>
<div><br>
</div>
<div>Cheers<br>
</div>
<div><br>
-- <br>
<div dir="ltr" class="gmail_signature">Alessandro Pasotti<br>
w3: <a href="http://www.itopen.it" target="_blank"
moz-do-not-send="true">www.itopen.it</a></div>
</div>
</div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
QGIS-Developer mailing list
<a class="moz-txt-link-abbreviated" href="mailto:QGIS-Developer@lists.osgeo.org">QGIS-Developer@lists.osgeo.org</a>
List info: <a class="moz-txt-link-freetext" href="https://lists.osgeo.org/mailman/listinfo/qgis-developer">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a>
Unsubscribe: <a class="moz-txt-link-freetext" href="https://lists.osgeo.org/mailman/listinfo/qgis-developer">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a></pre>
</blockquote>
<pre class="moz-signature" cols="72">
</pre>
</body>
</html>