SPNEGO (kerberos token generation/validation) for SSO using Python

Question

I'm attempting to implement a simple Single Sign On scenario where some of the participating servers will be windows (IIS) boxes. It looks like SPNEGO is a reasonable path for this.

Here's the scenario:

• User logs in to my SSO service using his username and password. I authenticate him using some mechanism.
• At some later time the user wants to access App A.
  • The user's request for App A is intercepted by the SSO service. The SSO service uses SPNEGO to log the user in to App A:
    • The SSO service hits the App A web page, gets a "WWW-Authenticate: Negotiate" response
    • The SSO service generates a "Authorization: Negotiate xxx" response on behalf of the user, responds to App A. The user is now logged in to App A.
  • The SSO service intercepts subsequent user requests for App A, inserting the Authorization header into them before passing them on to App A.

Does that sound right?

I need two things (at least that I can think of now):

• the ability to generate the "Authorization: Negotiate xxx" token on behalf of the user, preferably using Python
• the ability to validate "Authorization: Negotiate xxx" headers in Python (for a later part of the project)

Answer 1

This is exactly what Apple does with its Calendar Server. They have a python gssapi library for the kerberos part of the process, in order to implement Spengo.

Look in CalendarServer/twistedcaldav/authkerb.py for the server auth portion. The kerberos module (which is a c module), doesn't have any useful docstrings, but PyKerberos/pysrc/kerberos.py has all the function definitions.

Here's the urls for the svn trunks:
http://svn.calendarserver.org/repository/calendarserver/CalendarServer/trunk
http://svn.calendarserver.org/repository/calendarserver/PyKerberos/trunk

Answer 2

Take a look at the http://spnego.sourceforge.net/credential_delegation.html tutorial. It seems to be doing what you are trying to do.