[QGIS-Developer] Auth-config and single sign-on with Windows login
Andreas Neumann
a.neumann at carto.net
Wed Nov 20 13:59:00 PST 2019
Hi Alessandro,
To be honest - I don't know much about this single sign-on on Windows. I
just noticed that with some software, one doesn't have to login a second
time. One Login into the Windows system is enough and the other software
can - somehow (I don't know how) - authenticate the user from the
Windwos-Login, without a second log-in. But I don't know how that works.
It is not super important, but would be somehow convenient, if it
doesn't sacrifice security. Maybe it isn't possible at all.
Andreas
Am 20.11.19 um 17:24 schrieb Alessandro Pasotti:
>
>
> On Wed, Nov 20, 2019 at 5:10 PM Andreas Neumann <a.neumann at carto.net
> <mailto:a.neumann at carto.net>> wrote:
>
> Hi Jürgen,
>
> I wouldn't know how this works. When I create a new PG connection,
> it forces me to add a username and password. I can't create a new
> connection without specifying one. Even if the Windows password
> manager already knows my windows credentials, which are the same
> as the PG credentials. As a "stupid user" I would either expect:
>
> - not being asked for credentials (means that QGIS would
> automagically forward the Windows credentials)
>
>
> What if your DNS has been poisoned to hit evil.hacker.com
> <http://evil.hacker.com> instead? Would you still want your
> credentials to be automatically sent?
>
> - or when creating a new auth-conf, having a choice like "use
> windows credentials" and then not being asked for
> username/password, because QGIS already knows it from Windows.
>
>
> I don't get this point: when you enter you credentials in the OS
> wallet (password manager) it does not leak them to QGIS, or that would
> be another huge security hole.
>
> But maybe I am just not correctly handling it.
>
> The one thing I noticed is that the Windows password manager
> automatically loads the master password of the QGIS password
> manager. So that one seems to work.
>
>
> That's the currently supported way to manage credentials: you store
> them into the encrypted QGIS auth DB and (optionally) store the master
> password in your OS wallet.
>
> In any event, the QGIS auth system is plugin based (C++ plugins) and
> other/custom auth methods could be developed if needed.
>
> Cheers
>
> --
> Alessandro Pasotti
> w3: www.itopen.it <http://www.itopen.it>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20191120/ebf8879d/attachment.html>
More information about the QGIS-Developer
mailing list