On May 15, 2012, at 21:15 , Paul Bergen wrote: [..]
> I see lots of documents about using > SSO-technologies that require inter-server communication, or require > licensed technology (like Microsoft's stuff). But I can't find a > document that explains how to implement a simple SSO system like I > described that allows the servers to operate without the need to > communicate with each other. Does anybody know where I can find this? [a bit off-topic for the list...] To me, (real) SSO makes me think Kerberos (which is not that difficult to setup, I just did it and lost only a few hair ;-). Granted, Kerberos for your case would work in a natural way if the clients belong to the same, say, enterprise. For example Apache has a mod_kerberos. This paper gives a good overview http://www.kerberos.org/software/kerbweb.pdf Communication-wise, the client would have to request a ticket to the KDC say once a day. That's all. The servers don't communicate with each others or with the KDC. (Obviously you have to distribute the keytab to each server _once_ during bootstrapping). You should even be able to interoperate with MS Active Directory (which uses a modified Kerberos as protocol), see for example http://www.gossamer-threads.com/lists/apache/users/324833 (read all the thread.) Another option to look for interoperability is samba acting as domain controller (http://www.samba.org/). marco ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
