Single Sign-On for Rich Clients ("Fat Client") without Windows Logon

Question

single sign-on (SSO) for web applications (used through a browser) is well-documented and established. Establishing SSO for Rich Clients is harder, and is usually suggested on the basis of Kerberos tickets, in particular using a Windows login towards an ActiveDirectory in a domain.

However, I'm looking for a more generic solution for the following: I need to establish "real" SSO (one identity for all applications, i.e. not just a password synchronization across applications), where on client's side (unmanaged computers, incl. non-Windows), the "end clients" are a Java application and a GTK+ application. Both communicate with their server counterparts using a HTTP-based protocol (say, WebServices over HTTPS). The clients and the server do not necessarily sit in the same LAN/Intranet, but the client can access the servers from the extranet. The server-side of all the applications sit in the same network area, and the SSO component can access the identity provider via LDAP.

My question is basically "how can I do that"? More specifically,

a) is there an agreed-upon mechanism for secure, protected client-side "sso session storage", as it is the case with SSO cookies for browser-accessed applications? Possibly something like emulating Kerberos (TGT?) or even directly re-using it even where no ActiveDirectory authentication has been performed on the client side?

b) are there any protocols/APIs/frameworks for the communication between rich clients and the other participants of SSO (as it is the case for cookies)?

c) are there any APIs/frameworks for pushing kerberos-like TGTs and session tickets over the network?

d) are there any example implementations / tutorials available which demonstrate how to perform rich-client SSO?

I understand that there are "fill-out" agents which learn to enter the credentials into the application dialogues on the client side. I'd rather not use such a "helper" if possible.

Also, if possible, I would like to use CAS, Shibboleth and other open-source components where possible.

Thanks for comments, suggestions and answers!

MiKu

Answer 1

Going with AD account IS the generic solution. Kerberos is ubiquitous. This is the only mechanism which will ask you for your credentials once and just once at logon time.

This is all feasable, you need:

1. A KDC
2. Correct DNS entries
3. KDC accounts
4. Correct SPN entries
5. Client computers configured to talk to the KDC
6. Java app using JAAS with JGSS to obtain service tickets
7. GSS-API with your GTK+ app to obtain service tickets

What did you figure out yourself yet?