Sorry for the delayed response here;
Ingo is spot on, in a Windows/AD SSO environment we have a Domain Controller which handles the authentication side of things for the user logging onto the PC that has Jitsi installed on it. Openfire also syncs with the Domain Controller such that the accounts are all automatically created in Openfire once setup on the Domain.
Therefore we can't really extract the password of the user and provision it to them as such.
What we really want is an encrypted trust setup that Jitsi can use to pass the existing Kerberos ticket through to the DC to authenticate with the credentials that the user is logged on with.
From: Bauersachs Ingo [mailto:email@example.com]
Sent: Wednesday, 15 June 2011 5:16 PM
Subject: [jitsi-users] Re: SSO for Jitsi
I personally believe this is a better option than SSO since it allows
administrators to provision both account credentials and account
properties rather than having to maintain two separate mechanisms to
That is impossible in most SSO scenarios: Usually the server doesn't even know the user's password. When Matt talks about AD and Group Policy, then he's using a Windows Domain and probably a Server that authenticates the user with his Windows Credentials using the so-called "integrated authentication" (SSPI).
In this regard, the request is to reuse the Windows Credentials for Sign-On, either by using Kerberos (preferably) or NTLM (if need be).
Of course that all depends on the (SIP)-Server being used as well.