IBM Security Verify

Hi

Currently, we are using Kerberos for single sign on for various applications behind junctions. It is working fine however it is http1 and Kerberos does not support http2. Performance on applications could be optimized significantly with http2.

What could be done to handle both sso and http2 - any suggestions?

BR
Kim

------------------------------
Kim Petersen
Specialist
ATP
------------------------------

Hi,

ISVA  (Verify access) does support HTTP/2 since version 10 and higher  (https://www.ibm.com/docs/en/sva/10.0.4?topic=junctions-supported-http-versions-requests-responses) .  
The IIS server must be also on version 10 or higher (see https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis) .
If both conditions are fulfilled , then there should be no problem having Keerberos SSO on HTTP/2
Hope this helps

Kind regards
Serge Vereecke
IBM Security

------------------------------
Serge Vereecke
------------------------------

Original Message:
Sent: Mon July 04, 2022 04:26 AM
From: Kim Petersen
Subject: Alternative to Kerberos

Hi

Currently, we are using Kerberos for single sign on for various applications behind junctions. It is working fine however it is http1 and Kerberos does not support http2. Performance on applications could be optimized significantly with http2.

What could be done to handle both sso and http2 - any suggestions?

BR
Kim

------------------------------
Kim Petersen
Specialist
ATP
------------------------------

Hi Kim,

As SPNEGO and HTTP/2 do not go together I suggest to use a federated model.

So you set up an IDP instance which runs the SPNEGO on http/1.1 and a relying party (or SP if you use SAML2) that runs on HTTP/2. The latter consumes the idp token and creates the SSO sessions  toward your junctions. 

In a nutshell: the unauthenticated user arrives at the http/2 endpoint and because of not having a valid session the browser is redirected to the spnego endpoint. Which does the desktop sso for you, issues a token and redirects back. The HTTP/2 endpoint will now be able to create an authenticated session.

I hope this helps (I am sure Serge will agree on this approach)

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam
------------------------------

Original Message:
Sent: Mon July 04, 2022 04:26 AM
From: Kim Petersen
Subject: Alternative to Kerberos

Hi

Currently, we are using Kerberos for single sign on for various applications behind junctions. It is working fine however it is http1 and Kerberos does not support http2. Performance on applications could be optimized significantly with http2.

What could be done to handle both sso and http2 - any suggestions?

BR
Kim

------------------------------
Kim Petersen
Specialist
ATP
------------------------------

Thanks for the inputs Serge and Peter. Much appreciated

------------------------------
Kim Petersen
Specialist
ATP
------------------------------

Original Message:
Sent: Mon July 04, 2022 04:26 AM
From: Kim Petersen
Subject: Alternative to Kerberos

Hi

Currently, we are using Kerberos for single sign on for various applications behind junctions. It is working fine however it is http1 and Kerberos does not support http2. Performance on applications could be optimized significantly with http2.

What could be done to handle both sso and http2 - any suggestions?

BR
Kim

------------------------------
Kim Petersen
Specialist
ATP
------------------------------