Product concerned: SNS 3.x, SNS 4.x
Last update: October 2021
Users have to manage many passwords – one for connecting to the workstation, one for the mail program and as many passwords as there are applications. Once this number reaches a dozen or so for certain users or administrators, managing these passwords then becomes tricky. This would encourage careless behavior, for example, in the form of simple passwords, or using the same passwords across all systems, or even passwords written on post-its or in notebooks.
The aim of protecting applications with passwords is to ensure the security of the data they contain. However, having too many passwords to manage multiplies the risk of them falling into the wrong hands, with dire consequences.
To resolve this dilemma, Single Sign-On (SSO) authentication programs were created, allowing users to authenticate only once to access all their resources, without having to systematically enter the individual passwords to each application.
SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) is a protocol that has been defined by the IETF, making it possible to negotiate between different GSS-API (Generic Security Service Application Program Interface) mechanisms in order to establish a common security context for a client and a server. This is the method that Stormshield has chosen to provide single authentication features.
GSS-API is a programming interface offering applications that access a set of security services. Among other possibilities, it allows handling user authentication and guaranteeing the confidentiality and integrity of each message exchanged. Furthermore, it provides a unique interface that places itself above the different security mechanisms in such a way that in the event one of the peers acquires GSS-API credentials for the same security mechanism, a security context can then be established between them.