At my working place I had the task to develop an Jakarta EE web application where LDAP users from the company can log in and do some stuff. This article is not about what the app was capable of but about the SSO authentication part. One requirement was that the users do not have to log in independently, but that this happens automatically in the background. In the following I would like to explain how I have achieved this.
As already mentioned, the user should first be able to log in with the login data from the Active Directory. I have already written an article about this (in German).
To implement an SSO solution, it is now necessary to access the Windows user name without user input in the browser. For this I use Kerberos, which was already set up and ready to use. You can use the following setting in the Apache Web server to specify that the user name is passed as a parameter in the header of a request.
<requireany>
AuthType Kerberos
KrbAuthRealms TEST.COM
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbServiceName HTTP/subdomain.test.com
Krb5KeyTab /etc/krb5.keytab
KrbVerifyKDC off
require valid-user
</requireany>
RewriteEngine On
RewriteCond %{REMOTE_USER} ^(.*)&
RewriteRule ^(.*)$ - [E=R_U:%1]
RequestHeader set REMOTE_USER %{R_U}e
Instead of checking the user name and password via LDAP and then reading the user name from the database, the first step can be skipped because the user has already authenticated himself when logging on to Windows. This happens when a page is called in the background and the user is spared an annoying login page.