发表新帖
发表新帖

SPNEGO (kerberos token generation/validation) for SSO using Python

前端 未结
关注
3 1743
隐瞒了意图╮
隐瞒了意图╮ 2020-12-14 05:23

I\'m attempting to implement a simple Single Sign On scenario where some of the participating servers will be windows (IIS) boxes. It looks like SPNEGO is a reasonable path

相关标签:
3条回答
  • 深忆病人
    2020-12-14 05:35

    Take a look at the http://spnego.sourceforge.net/credential_delegation.html tutorial. It seems to be doing what you are trying to do.

    0 讨论(0)
  • 予麋鹿
    2020-12-14 05:48

    This is exactly what Apple does with its Calendar Server. They have a python gssapi library for the kerberos part of the process, in order to implement SPNEGO.

    Look in CalendarServer/twistedcaldav/authkerb.py for the server auth portion. The kerberos module (which is a c module), doesn't have any useful docstrings, but PyKerberos/pysrc/kerberos.py has all the function definitions.

    Here's the urls for the svn trunks:
    http://svn.calendarserver.org/repository/calendarserver/CalendarServer/trunk
    http://svn.calendarserver.org/repository/calendarserver/PyKerberos/trunk

    0 讨论(0)
  • 梦毁少年i
    2020-12-14 05:58

    I've been searching quite some time for something similar (on Linux), that has lead me to this page several times, yet giving no answer. So here is my solution, I came up with:

    The web-server is a Apache with mod_auth_kerb. It is already running in a Active Directory, single sign-on setup since quite some time. What I was already able to do before:

    • Using chromium with single sign on on Linux (with a proper krb5 setup, with working kinit user@domain)
    • Having python connect and single sign on using sspi from the pywin32 package, with something like sspi.ClientAuth("Negotiate", targetspn="http/%s" % host)

    The following code snippet completes the puzzle (and my needs), having Python single sign on with Kerberos on Linux (using python-gssapi):

    in_token=base64.b64decode(neg_value)
service_name = gssapi.Name("HTTP@%s" % host, gssapi.C_NT_HOSTBASED_SERVICE)
spnegoMechOid = gssapi.oids.OID.mech_from_string("1.3.6.1.5.5.2")
ctx = gssapi.InitContext(service_name,mech_type=spnegoMechOid)
out_token = ctx.step(in_token)
buffer = sspi.AuthenticationBuffer()
outStr = base64.b64encode(out_token)
    0 讨论(0)
 看不清?
提交回复
热议问题