<div dir="ltr">Hi,<div><br></div><div>I believe the situation is different for PG and WMS authentication.</div><div><br></div><div>For PG, if you have LDAP connection or so, you basically don't need to have any credentials in QGIS. You will always connect through the same "user".</div><div>See <a href="https://wiki.postgresql.org/wiki/LDAP_Authentication_against_AD">https://wiki.postgresql.org/wiki/LDAP_Authentication_against_AD</a></div><div><br></div><div>For WMS, I don't see this possible if I understand correctly how works the auth, otherwise that would mean, as Alessandro pointed, that your user/password would leak.</div><div>The safe way would be that the authentication on the WMS server actually checks the AD. I have no idea if that's possible and it's totally independent from QGIS.</div><div><br></div><div>Don't hesitate to correct me if I missed something.</div><div><br></div><div>Denis</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le mer. 20 nov. 2019 à 22:59, Andreas Neumann <<a href="mailto:a.neumann@carto.net">a.neumann@carto.net</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Hi Alessandro,</p>
<p>To be honest - I don't know much about this single sign-on on
Windows. I just noticed that with some software, one doesn't have
to login a second time. One Login into the Windows system is
enough and the other software can - somehow (I don't know how) -
authenticate the user from the Windwos-Login, without a second
log-in. But I don't know how that works.</p>
<p>It is not super important, but would be somehow convenient, if it
doesn't sacrifice security. Maybe it isn't possible at all.</p>
<p>Andreas<br>
</p>
<div>Am 20.11.19 um 17:24 schrieb Alessandro
Pasotti:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Nov 20, 2019 at 5:10
PM Andreas Neumann <<a href="mailto:a.neumann@carto.net" target="_blank">a.neumann@carto.net</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">
<p>Hi Jürgen,</p>
<p>I wouldn't know how this works. When I create a new PG
connection, it forces me to add a username and password.
I can't create a new connection without specifying one.
Even if the Windows password manager already knows my
windows credentials, which are the same as the PG
credentials. As a "stupid user" I would either expect:</p>
<p>- not being asked for credentials (means that QGIS
would automagically forward the Windows credentials)</p>
</div>
</blockquote>
<div><br>
</div>
<div>What if your DNS has been poisoned to hit <a href="http://evil.hacker.com" target="_blank">evil.hacker.com</a>
instead? Would you still want your credentials to be
automatically sent?</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">
<p>- or when creating a new auth-conf, having a choice
like "use windows credentials" and then not being asked
for username/password, because QGIS already knows it
from Windows.</p>
</div>
</blockquote>
<div><br>
</div>
<div>I don't get this point: when you enter you credentials in
the OS wallet (password manager) it does not leak them to
QGIS, or that would be another huge security hole.</div>
<div> <br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">
<p>But maybe I am just not correctly handling it.</p>
<p>The one thing I noticed is that the Windows password
manager automatically loads the master password of the
QGIS password manager. So that one seems to work.</p>
</div>
</blockquote>
<br>
</div>
<div>That's the currently supported way to manage credentials:
you store them into the encrypted QGIS auth DB and
(optionally) store the master password in your OS wallet.</div>
<div><br>
</div>
<div>In any event, the QGIS auth system is plugin based (C++
plugins) and other/custom auth methods could be developed if
needed.<br>
</div>
<div><br>
</div>
<div>Cheers<br>
</div>
<div><br>
-- <br>
<div dir="ltr">Alessandro Pasotti<br>
w3: <a href="http://www.itopen.it" target="_blank">www.itopen.it</a></div>
</div>
</div>
</blockquote>
</div>
_______________________________________________<br>
QGIS-Developer mailing list<br>
<a href="mailto:QGIS-Developer@lists.osgeo.org" target="_blank">QGIS-Developer@lists.osgeo.org</a><br>
List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a></blockquote></div>