Details
-
Task
-
Resolution: Done
-
Neutral
-
None
-
None
-
None
-
-
Empty show more show less
-
Empty show more show less
Description
Describe how to do SSO with Kerberos authentication.
Jira tickets such as MGNLLDAP-11 give the following advice:
When user credentials are sent to LDAP/AD server, they can be encrypted in the bind request and can't be seen across the network. You can configure the level of security using java.naming.security.authentication in a configuration file. These are the values supported by the default sun service provider:
- none
- simple (plain text)
- DIGEST-MD5
- EXTERNAL //not yet supported by the LDAP login module
- GSSAPI (Kerberos V5)
You can implement Kerberos authentication by providing your own login callback and handlers. There are examples of callbacks in SVN.
For URISecurity, NTLM (AD shared token - SSO) is a supported method and other implementations are possible (Kerberos TTS, Digest). Provide loginCallback and loginCallbackHandler to negotiate authentication with user (see login, logout and uriSecurity filters at Configuration:/server/filters).