Note: By "single sign on" I mean, ask the user for credentials and then not need him to authenticate by user input anymore for X time after that.
I have to create a secure web service for clients to use to deposit sensitive data into.
I could use traditional username and passwords, but the problem is pestering the user for it every time they want to make a request. On the other hand, if I cache those credentials then it's a security liability as it has to remain somewhere on the machine. Granted I'm not working on NASA software, but I'd like something a little more robust.
Here are my restrictions:
Clients:
- Use Windows 2000 and latest. So the client application has to run on .NET 2.0
- I have no control over the network or the clients machine meaning installing certificates on their end will be difficult if not impossible. (I have a machine fingerprint mechanism for whitelisting kosher PCs).
Server:
- Will use whatever I see fit. It's at my discretion.
With those consideration in mind, what options do I have if I want to implement a "single sign on" mechanism? Meaning, the user authenticates and for X time he can call the service without needing additional authentication.