How WAFFLE SSO authentication works
This image depicts the working of WAFFLE SSO authentication.
| A precondition for WAFFLE SSO is that the user request comes from a device that is logged on to the domain. |
1. The browser sends a request to the web server.
2. The web server replies with unauthorized and proposes negotiations.
3. The client browser gets the user's credentials that were used to log into Windows, takes its hash and sends it to the server.
4. When receiving the hash, the server looks up the user store and identifies the user.
| There is no keytab file needed as is the case for SPNEGO. |
5. An unique and encrypted challenge is created.
6. The server sends the challenge to the browser. That challenge can be only decrypted using the user's password.
7. The browser decrypts the challenge with the user's credentials and sends the response back to the server.
8. The server checks whether the response for the challenge is correct and serves the user request if the answer is correct. If the answer is wrong, the server denies the access to the requested resources and sends the unauthorized message.