[QGIS-Developer] Auth-config and single sign-on with Windows login

Wed Nov 20 21:29:57 PST 2019

Hi,

I believe the situation is different for PG and WMS authentication.

For PG, if you have LDAP connection or so, you basically don't need to have
any credentials in QGIS. You will always connect through the same "user".
See https://wiki.postgresql.org/wiki/LDAP_Authentication_against_AD

For WMS, I don't see this possible if I understand correctly how works the
auth, otherwise that would mean, as Alessandro pointed, that your
user/password would leak.
The safe way would be that the authentication on the WMS server actually
checks the AD. I have no idea if that's possible and it's totally
independent from QGIS.

Don't hesitate to correct me if I missed something.

Denis

Le mer. 20 nov. 2019 à 22:59, Andreas Neumann <a.neumann at carto.net> a
écrit :

> Hi Alessandro,
>
> To be honest - I don't know much about this single sign-on on Windows. I
> just noticed that with some software, one doesn't have to login a second
> time. One Login into the Windows system is enough and the other software
> can - somehow (I don't know how) - authenticate the user from the
> Windwos-Login, without a second log-in. But I don't know how that works.
>
> It is not super important, but would be somehow convenient, if it doesn't
> sacrifice security. Maybe it isn't possible at all.
>
> Andreas
> Am 20.11.19 um 17:24 schrieb Alessandro Pasotti:
>
>
>
> On Wed, Nov 20, 2019 at 5:10 PM Andreas Neumann <a.neumann at carto.net>
> wrote:
>
>> Hi Jürgen,
>>
>> I wouldn't know how this works. When I create a new PG connection, it
>> forces me to add a username and password. I can't create a new connection
>> without specifying one. Even if the Windows password manager already knows
>> my windows credentials, which are the same as the PG credentials. As a
>> "stupid user" I would either expect:
>>
>> - not being asked for credentials (means that QGIS would automagically
>> forward the Windows credentials)
>>
>
> What if your DNS has been poisoned to hit evil.hacker.com instead? Would
> you still want your credentials to be automatically sent?
>
> - or when creating a new auth-conf, having a choice like "use windows
>> credentials" and then not being asked for username/password, because QGIS
>> already knows it from Windows.
>>
>
> I don't get this point: when you enter you credentials in the OS wallet
> (password manager) it does not leak them to QGIS, or that would be another
> huge security hole.
>
> But maybe I am just not correctly handling it.
>>
>> The one thing I noticed is that the Windows password manager
>> automatically loads the master password of the QGIS password manager. So
>> that one seems to work.
>>
>
> That's the currently supported way to manage credentials: you store them
> into the encrypted QGIS auth DB and (optionally) store the master password
> in your OS wallet.
>
> In any event, the QGIS auth system is plugin based (C++ plugins) and
> other/custom auth methods could be developed if needed.
>
> Cheers
>
> --
> Alessandro Pasotti
> w3:   www.itopen.it
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20191121/0c32fcee/attachment.html>