Softwareentwickler / Software Developer

SSO | Single Sign-On using Apache, Kerberos and Jakarta EE

At my working place I had the task to develop an Jakarta EE web application where LDAP users from the company can log in and do some stuff. This article is not about what the app was capable of but about the SSO authentication part. One requirement was that the users do not have to log in independently, but that this happens automatically in the background. In the following I would like to explain how I have achieved this.

As already mentioned, the user should first be able to log in with the login data from the Active Directory. I have already written an article about this (in German).

To implement an SSO solution, it is now necessary to access the Windows user name without user input in the browser. For this I use Kerberos, which was already set up and ready to use. You can use the following setting in the Apache Web server to specify that the user name is passed as a parameter in the header of a request.

<requireany>
    AuthType Kerberos
    KrbAuthRealms TEST.COM
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbServiceName HTTP/subdomain.test.com
    Krb5KeyTab /etc/krb5.keytab
    KrbVerifyKDC off
    require valid-user
</requireany>

RewriteEngine On
RewriteCond %{REMOTE_USER} ^(.*)&amp;
RewriteRule ^(.*)$ - [E=R_U:%1]
RequestHeader set REMOTE_USER %{R_U}e

Instead of checking the user name and password via LDAP and then reading the user name from the database, the first step can be skipped because the user has already authenticated himself when logging on to Windows. This happens when a page is called in the background and the user is spared an annoying login page.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert