[QGIS-Developer] Auth-config and single sign-on with Windows login

Andreas Neumann a.neumann at carto.net
Wed Nov 20 13:59:00 PST 2019 

Hi Alessandro,

To be honest - I don't know much about this single sign-on on Windows. I 
just noticed that with some software, one doesn't have to login a second 
time. One Login into the Windows system is enough and the other software 
can - somehow (I don't know how) - authenticate the user from the 
Windwos-Login, without a second log-in. But I don't know how that works.

It is not super important, but would be somehow convenient, if it 
doesn't sacrifice security. Maybe it isn't possible at all.

Andreas

Am 20.11.19 um 17:24 schrieb Alessandro Pasotti:
>
>
> On Wed, Nov 20, 2019 at 5:10 PM Andreas Neumann <a.neumann at carto.net 
> <mailto:a.neumann at carto.net>> wrote:
>
>     Hi Jürgen,
>
>     I wouldn't know how this works. When I create a new PG connection,
>     it forces me to add a username and password. I can't create a new
>     connection without specifying one. Even if the Windows password
>     manager already knows my windows credentials, which are the same
>     as the PG credentials. As a "stupid user" I would either expect:
>
>     - not being asked for credentials (means that QGIS would
>     automagically forward the Windows credentials)
>
>
> What if your DNS has been poisoned to hit evil.hacker.com 
> <http://evil.hacker.com> instead? Would you still want your 
> credentials to be automatically sent?
>
>     - or when creating a new auth-conf, having a choice like "use
>     windows credentials" and then not being asked for
>     username/password, because QGIS already knows it from Windows.
>
>
> I don't get this point: when you enter you credentials in the OS 
> wallet (password manager) it does not leak them to QGIS, or that would 
> be another huge security hole.
>
>     But maybe I am just not correctly handling it.
>
>     The one thing I noticed is that the Windows password manager
>     automatically loads the master password of the QGIS password
>     manager. So that one seems to work.
>
>
> That's the currently supported way to manage credentials: you store 
> them into the encrypted QGIS auth DB and (optionally) store the master 
> password in your OS wallet.
>
> In any event, the QGIS auth system is plugin based (C++ plugins) and 
> other/custom auth methods could be developed if needed.
>
> Cheers
>
> -- 
> Alessandro Pasotti
> w3: www.itopen.it <http://www.itopen.it>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20191120/ebf8879d/attachment.html>

More information about the QGIS-Developer mailing list