Chatta subito con l'assistenza
Chat con il supporto

Single Sign-On for Java 3.3.2 - Administration Guide

About this guide Introducing Single Sign-on for Java Preparing for Single Sign-on for Java Deploying Single Sign-on for Java
Getting started with Single Sign-on for Java Single Sign-on for Java and your web applications Setting up logging Controlling access to resources
Security Issues Maintenance and Troubleshooting Appendix: Configuration Parameters Appendix: Using the JKTools

Mappings and objects

Single Sign-on for Java makes use of a number of Active Directory constructs and objects in its Kerberos-related operations that involve:

  • Objects representing users, groups, organizations, computers, resources and services as registered in Active Directory account records
  • Mappings or unique name references to these objects, including properties held in the accounts themselves.

Names and mappings

User Principal Names and Service Principal Names are recorded in Active Directory and can be used as a way of referring to a client or a service within Kerberos. Active Directory can find full user account details for a UPN or SPN by searching its records for the account that has that name property listed as one of its object attributes.

User Principal Names (UPNs)

A UPN provides a name of a user and is used as the Kerberos client principal name. It consists of an RFC822 or Email-style name and domain, separated by an '@' symbol (thus, fred@EXAMPLE.COM).

The UPN must be unique throughout the Active Directory forest.

The UPN is the name that appears in the Kerberos Ticket Granting Ticket (TGT) returned by Active Directory for a client.

Service Principal Names (SPNs)

Most often, an SPN is of the form: <service type>/<host>. For example:

HTTP/appservhost1.example.com

The SPN is used when requesting a Kerberos ticket for a particular service. The client browser uses the hostname from the request URL to construct this SPN value. This SPN value is used to request a service ticket from Active Directory. You will typically need to map an SPN to an Active Directory account using the setspn tool.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione