[QGIS-Developer] Auth-config and single sign-on with Windows login

Bo Victor Thomsen bo.victor.thomsen at gmail.com
Thu Nov 21 01:01:16 PST 2019


If you have a "clean" windows setup (i.e. both the client and server is 
Windows based) you can use the SSPI single sign setup on the server - 
equivalent to "Integrated security" for MS-SQLServer.

In simple terms it means that your windows logon identity automatically 
is reused as a postgres user identity without any further setup.

Very popular with my "Always Windows-only !!" customers and a forceful 
argument for switching them from MS-SQLServer to Postgres/PostGIS for 
spatial data.

https://wiki.postgresql.org/wiki/Configuring_for_single_sign-on_using_SSPI_on_Windows

-- 
Med venlig hilsen / Kind regards

Bo Victor Thomsen

Den 20-11-2019 kl. 22:59 skrev Andreas Neumann:
>
> Hi Alessandro,
>
> To be honest - I don't know much about this single sign-on on Windows. 
> I just noticed that with some software, one doesn't have to login a 
> second time. One Login into the Windows system is enough and the other 
> software can - somehow (I don't know how) - authenticate the user from 
> the Windwos-Login, without a second log-in. But I don't know how that 
> works.
>
> It is not super important, but would be somehow convenient, if it 
> doesn't sacrifice security. Maybe it isn't possible at all.
>
> Andreas
>
> Am 20.11.19 um 17:24 schrieb Alessandro Pasotti:
>>
>>
>> On Wed, Nov 20, 2019 at 5:10 PM Andreas Neumann <a.neumann at carto.net 
>> <mailto:a.neumann at carto.net>> wrote:
>>
>>     Hi Jürgen,
>>
>>     I wouldn't know how this works. When I create a new PG
>>     connection, it forces me to add a username and password. I can't
>>     create a new connection without specifying one. Even if the
>>     Windows password manager already knows my windows credentials,
>>     which are the same as the PG credentials. As a "stupid user" I
>>     would either expect:
>>
>>     - not being asked for credentials (means that QGIS would
>>     automagically forward the Windows credentials)
>>
>>
>> What if your DNS has been poisoned to hit evil.hacker.com 
>> <http://evil.hacker.com> instead? Would you still want your 
>> credentials to be automatically sent?
>>
>>     - or when creating a new auth-conf, having a choice like "use
>>     windows credentials" and then not being asked for
>>     username/password, because QGIS already knows it from Windows.
>>
>>
>> I don't get this point: when you enter you credentials in the OS 
>> wallet (password manager) it does not leak them to QGIS, or that 
>> would be another huge security hole.
>>
>>     But maybe I am just not correctly handling it.
>>
>>     The one thing I noticed is that the Windows password manager
>>     automatically loads the master password of the QGIS password
>>     manager. So that one seems to work.
>>
>>
>> That's the currently supported way to manage credentials: you store 
>> them into the encrypted QGIS auth DB and (optionally) store the 
>> master password in your OS wallet.
>>
>> In any event, the QGIS auth system is plugin based (C++ plugins) and 
>> other/custom auth methods could be developed if needed.
>>
>> Cheers
>>
>> -- 
>> Alessandro Pasotti
>> w3: www.itopen.it <http://www.itopen.it>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20191121/67be1d36/attachment-0001.html>


More information about the QGIS-Developer mailing list