[QGIS-Developer] Auth-config and single sign-on with Windows login
Bo Victor Thomsen
bo.victor.thomsen at gmail.com
Thu Nov 21 01:01:16 PST 2019
If you have a "clean" windows setup (i.e. both the client and server is
Windows based) you can use the SSPI single sign setup on the server -
equivalent to "Integrated security" for MS-SQLServer.
In simple terms it means that your windows logon identity automatically
is reused as a postgres user identity without any further setup.
Very popular with my "Always Windows-only !!" customers and a forceful
argument for switching them from MS-SQLServer to Postgres/PostGIS for
spatial data.
https://wiki.postgresql.org/wiki/Configuring_for_single_sign-on_using_SSPI_on_Windows
--
Med venlig hilsen / Kind regards
Bo Victor Thomsen
Den 20-11-2019 kl. 22:59 skrev Andreas Neumann:
>
> Hi Alessandro,
>
> To be honest - I don't know much about this single sign-on on Windows.
> I just noticed that with some software, one doesn't have to login a
> second time. One Login into the Windows system is enough and the other
> software can - somehow (I don't know how) - authenticate the user from
> the Windwos-Login, without a second log-in. But I don't know how that
> works.
>
> It is not super important, but would be somehow convenient, if it
> doesn't sacrifice security. Maybe it isn't possible at all.
>
> Andreas
>
> Am 20.11.19 um 17:24 schrieb Alessandro Pasotti:
>>
>>
>> On Wed, Nov 20, 2019 at 5:10 PM Andreas Neumann <a.neumann at carto.net
>> <mailto:a.neumann at carto.net>> wrote:
>>
>> Hi Jürgen,
>>
>> I wouldn't know how this works. When I create a new PG
>> connection, it forces me to add a username and password. I can't
>> create a new connection without specifying one. Even if the
>> Windows password manager already knows my windows credentials,
>> which are the same as the PG credentials. As a "stupid user" I
>> would either expect:
>>
>> - not being asked for credentials (means that QGIS would
>> automagically forward the Windows credentials)
>>
>>
>> What if your DNS has been poisoned to hit evil.hacker.com
>> <http://evil.hacker.com> instead? Would you still want your
>> credentials to be automatically sent?
>>
>> - or when creating a new auth-conf, having a choice like "use
>> windows credentials" and then not being asked for
>> username/password, because QGIS already knows it from Windows.
>>
>>
>> I don't get this point: when you enter you credentials in the OS
>> wallet (password manager) it does not leak them to QGIS, or that
>> would be another huge security hole.
>>
>> But maybe I am just not correctly handling it.
>>
>> The one thing I noticed is that the Windows password manager
>> automatically loads the master password of the QGIS password
>> manager. So that one seems to work.
>>
>>
>> That's the currently supported way to manage credentials: you store
>> them into the encrypted QGIS auth DB and (optionally) store the
>> master password in your OS wallet.
>>
>> In any event, the QGIS auth system is plugin based (C++ plugins) and
>> other/custom auth methods could be developed if needed.
>>
>> Cheers
>>
>> --
>> Alessandro Pasotti
>> w3: www.itopen.it <http://www.itopen.it>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20191121/67be1d36/attachment-0001.html>
More information about the QGIS-Developer
mailing list