Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCU-231

Single-sign on with Kerberos authentication

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Neutral
    • None
    • None
    • content
    • None

    Description

      Describe how to do SSO with Kerberos authentication.

      Jira tickets such as MGNLLDAP-11 give the following advice:

      When user credentials are sent to LDAP/AD server, they can be encrypted in the bind request and can't be seen across the network. You can configure the level of security using java.naming.security.authentication in a configuration file. These are the values supported by the default sun service provider:

      • none
      • simple (plain text)
      • DIGEST-MD5
      • EXTERNAL //not yet supported by the LDAP login module
      • GSSAPI (Kerberos V5)

      You can implement Kerberos authentication by providing your own login callback and handlers. There are examples of callbacks in SVN.

      For URISecurity, NTLM (AD shared token - SSO) is a supported method and other implementations are possible (Kerberos TTS, Digest). Provide loginCallback and loginCallbackHandler to negotiate authentication with user (see login, logout and uriSecurity filters at Configuration:/server/filters).

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              Unassigned Unassigned
              ahietala Antti Hietala
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Checklists

                  Task DoR