[DOCU-231] Single-sign on with Kerberos authentication Created: 23/Nov/11  Updated: 31/May/18  Resolved: 31/May/18

Status: Closed
Project: Documentation
Component/s: content
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Antti Hietala Assignee: Unassigned
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Date of First Response:

 Description   

Describe how to do SSO with Kerberos authentication.

Jira tickets such as MGNLLDAP-11 give the following advice:

When user credentials are sent to LDAP/AD server, they can be encrypted in the bind request and can't be seen across the network. You can configure the level of security using java.naming.security.authentication in a configuration file. These are the values supported by the default sun service provider:

  • none
  • simple (plain text)
  • DIGEST-MD5
  • EXTERNAL //not yet supported by the LDAP login module
  • GSSAPI (Kerberos V5)

You can implement Kerberos authentication by providing your own login callback and handlers. There are examples of callbacks in SVN.

For URISecurity, NTLM (AD shared token - SSO) is a supported method and other implementations are possible (Kerberos TTS, Digest). Provide loginCallback and loginCallbackHandler to negotiate authentication with user (see login, logout and uriSecurity filters at Configuration:/server/filters).



 Comments   
Comment by Christoph Meier [ 30/May/18 ]

This looks quite old - however, it was updated on 2016.
ahietala, is it still valid?

Comment by Antti Hietala [ 31/May/18 ]

No support requests recently about Kerberos authentication. Closed. 

Generated at Mon Feb 12 01:07:10 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.