Home / server / Questions

Questions[single-sign-on](server)

Martin Hope
blak3r
Asked: 2011-07-21 10:52:19 +0800 CST
  • 48

I'm told that it's possible to make a web application that does not require a login. The user logs in to Windows, which authenticates via an Active Directory (LDAP) Lookup. Then, they should be able to go to my webapp and never see a login prompt. These customers have been referring to this as Single Sign On (perhaps incorrectly and part of my confusion).

But, from what I read Single Sign On from the Tomcat docs is:

The Single Sign On Valve is utilized when you wish to give users the ability to sign on to any one of the web applications associated with your virtual host, and then have their identity recognized by all other web applications on the same virtual host.

This is perfectly clear to me. User has to login once and can access every webapp on an instance of tomcat. But, what I need to do is somehow let them login without ever providing any credentials to my tomcat server.

So, in order for this to work I imagine:

  • User makes request for some page
  • Server sees no session token and then request the client for some credentials.
  • The clients browser without any intervention from the user provides some credentials to the server.
  • Then, using those credentials provided by the clients browser it does a lookup in an LDAP.

I've seen some examples which use client side certificates... particularly the DoD PKI system which makes some sense to me because in those cases you configure Tomcat to request client side certs, but just logging into windows I don't see how this would work and what information the browser would pass to the server etc. Is this what NTLM is used for?

active-directory authentication pki single-sign-on
Martin Hope
Chris_K
Asked: 2009-08-22 06:23:14 +0800 CST
  • 14

We're a small shop running Google Apps (Enterprise) for our email needs. Love it. Internally, we're using Windows AD (2003). No complaints there either.

I'd like to get some method of SSO going between AD and Google Apps such that AD is the only place my folks have to manage (and periodically CHANGE!) passwords.

I've looked over google's "tfm"s in the past, but I guess I just don't quite get it. Has anyone does this? If so, would you be willing to share how? Can it be done without a huge amount of complexity and expense?

active-directory g-suite single-sign-on
Martin Hope
Kamil Kisiel
Asked: 2009-07-03 15:39:31 +0800 CST
  • 12

I've been considering deploying mod_auth_kerb on our internal web servers to enable SSO. The one obvious problem I can see is that it's an all-or-nothing approach, either all your domain users can access a site or not.

Is it possible to combine mod_auth_kerb with something like mod_authnz_ldap to check for group membership in a particular group in LDAP? I'm guessing the KrbAuthoritative option would have something to do with this?

Also, as I understand it, the module sets the username to be username@REALM after authentication, but of course in the directory the users are stored as the username only. Furthermore, some internal sites we run such as trac already have a user profile linked to each username. Is there a way to resolve this, perhaps by stripping off the realm bit after authentication somehow?

apache-2.2 ldap kerberos single-sign-on
Martin Hope
p.campbell
Asked: 2009-06-05 10:05:32 +0800 CST
  • 28

The I.T. dept is considering allowing installation and automated deployment of Google Chrome browser to 100+ desktops. One of the requirements is for domain credentials to be passed through. The desired behaviour is the same as Internet Explorer.

An issue has come up when browsing intranet resources. Intranet sites which require Active Directory authentication are showing the "Authentication Required" dialog.

For each site, you have to enter your domain credentials.

Question: Does Google Chrome currently, or plan to, support passthrough Windows authentication? If so, how do you configure this security setting?

windows authentication google-chrome single-sign-on passthrough
Martin Hope
Philip Fourie
Asked: 2009-05-31 07:28:41 +0800 CST
  • 21

We utilise both Windows and Linux server at our software development company.

One of the friction points with this setup is that we don't have a single sign-on solution. Being more of a Microsoft shop than a Linux one we want to authenticate against AD.

I read a couple of articles online and I understand this to be possible.

We are currently using the following services on Linux that requires authentication:
- git server (through SSH)
- Sendmail
- Apache web server currently using .htaccess files.
- SAMBA file shares

What I want to know is how practical is this sort of setup? Does it really work or is it error-prone?

windows linux authentication single-sign-on