Excerpt | ||
---|---|---|
| ||
Non-interactive login. LoginConfig. |
Meeting meta information
a Monday. Met 9:30 am to 10:30 am.
...
- Agenda item: Andrew reported on speculative design and implementation of non-interactive user login.
Next meeting
Next meeting will be Wed 03.09. Andrew will report on actual code implementing the topics discussed today. We will also discuss ACAS.
Explanation of whiteboard
Attached is screenshot of whiteboard.
...
Asking the LoginConfig about sufficiency of Authentication, gateway mode, and warn mode, provides an important extension point. Advanced implementations of the RequestToLoginConfig "factory" of LoginConfigs and of LoginConfigs themselves might implement such rules as "Never allow Single Sign On from the IP addresses of known kiosks"
The players
Revisiting the particular interfaces used here:. In general the LoginConfig could consider where the request seems to be coming from (looks like a kiosk), user preferences based on persistent browser cookie (SSO opt-in cookie was present or opt-out-of-SSO cookie was not present), user preferences based on authenticated identity (we know awp9 has opted out of privacy), service preferences (we know the service for which we're trying to issue a ST will accept nothing less than a client cert along with username password along with NTLM authentication).