I've configured Apache HTTPD as a reverse proxy (for SSL) for my Artifactory instance, and I'm now trying to get HTTP SSO working on it.
Using the below configuration, I am successfully automatically signed in from my machine. However, when I run Chrome in Incognito mode (to disable Kerberos forwarding), the behaviour becomes undesirable.
What I want to happen is that the user be silently taken to Artifactory's standard login page, at /ui/login
. However, what actually happens is that the browser prompts its built-in username and password window.
The other solutions I've seen in my research seem to be based on the Kerberos auth failing, or the user hitting cancel at this window. Instead, what I am trying to cater for is my users browsing to Artifactory from a non-domain-joined machine, which doesn't have a Kerberos ticket. I want these users to be shown the nicer-looking Artifactory standard login page.
# httpd -v
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built: Oct 8 2020 21:27:40
<Location />
AuthType Kerberos
AuthName "Intranet"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DOMAIN.EXAMPLE.ORG
KrbLocalUserMapping On
Krb5KeyTab /etc/httpd/artf_ldap.keytab
Require valid-user
KrbAuthoritative On
ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/ui/login\"></html>"
RewriteEngine On
RewriteCond %{REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e
</Location>
The ErrorDocument 401
and KrbMethodK5Passwd Off
parts were my attempts at solving this myself.