Web Authentication

Posted on June 16, 2012 by Tommy McGuire
Labels: active directory, authentication, java, ldap, SAML

Security Assertion Markup Language, Version 2

The Security Assertion Markup Language is developed by OASIS; at its core is an XML specification for sharing security related assertions, such as identity information, level of belief in the authentication, and potentially authorization information. SAML is, however, much bigger than its core. It includes what they call protocols, defining what SAML-formatted messages should be sent under specific circumstances such as authentication requests, logouts, assertion queries, etc. The SAML family also includes what they call bindings, which provide the details about how protocol messages should be presented in standard messaging scenarios such as HTTP Redirect (used by the authentication requests described in these posts for requests) and HTTP POST (also used by these posts for replies), SOAP, etc. Also, there are profiles; metadata to be exchanged; conformance, security, and privacy considerations; and a three-legged water buffalo named Elmont.

Active Directory: LDAP and Kerberos


There are two ways to authenticate against an Active Directory server: LDAP and Kerberos. LDAP authentication is normally as simple as opening a connection and binding using the username and password. Active Directory, instead, encourages decoupling by having the authentication client use a ridiculously complex lookup procedure to locate the AD server that involves DNS SRV records, ASN.1, and two-thirds of the Concorde TSP solver. But, it does work fairly well.


Kerberos authentication is much simpler to implement, but requires more infrastructure. In particular, it requires the browser to handle Kerberos ticket-based authentication via the SPNEGO protocol. All of the browsers of my acquaintance do, although it requires some configuration.

active directory ashurbanipal authentication books c c++ comics conference continuations coq data structure digital humanities Dijkstra eclipse virgo electronics emacs goodreads haskell http java job Knuth ldap link linux lisp math naming nimrod notation OpenAM osgi parsing pony programming language protocols python quote R random REST ruby rust SAML scala scheme shell software development system administration theory tip toy problems unix vmware yeti
Member of The Internet Defense League
Site proudly generated by Hakyll.