SSO cannot work without a open communication to the POA for security reasons (the POA does not just take the client's word, it calls the directory to verify everything).

In caching mode, at startup, the login is against the local store.
Caching mode only talks to the POA during sync.
It is required that caching mode open and run against the local store even if the POA is down.

The only idea that I can think of is that we could try the POA and skip the password prompt if the POA is up and could verify our credentials.

But even that would be problematic because the local store and the online store are not the same store, but a replicated copy. We would be hack-able. Example: I get a copy of your caching store and log in using credentials from a test system POA. Part of the SSO security is tied to the relationship between the online store and the directory user.

So we would have to add code to also guarantee the relationship between the cache and the online.

This could be done, but is a feature request.

---

Thanks,

-Jan

by: Jan D. | over a year ago | Windows Client