Task #1952
closed
SSO support for both windows and linux servers
100%
Description
The aim of this ticket is to find a way of using SSO via Kerberos protocol. The solution must work on both windows and linux servers (where the idm is installed).
Updated by Radek Tomiška over 4 years ago
Hi Honza,
could you please translate your private comment and made it public to see some progress in ticket?
We have whole request available in application, so new authentication filter can be implemented.
Updated by Jan Kolařík over 4 years ago
- Tomcat can be kerberized on windows, steps in this guide https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w led to kerberos authentication into tomcat container.
- Authentication didn't work for me when Firefox was used (although I configured network.negotiate-auth.delegation-uris a network.negotiate-auth.trusted-uris parameters)
- Authentication worked with Internet Explorer configured as stated at https://wiki.czechidm.com/tutorial/adm/sso_ad_domain
Tests were carried out in virtual machines "klon Patrik - GFR simulace testovani SSO HONZA" (172.31.255.169) and 172.31.255.181 (Windows DC).
Domain username can be gained in kerberized tomcat e.g. by this JSP code:
<%= new String("Hello!") %>
<br>
<%= request.getRemoteUser() %>
<br>
<%= request.getUserPrincipal() %>
<br>
Output:
Hello! honza GenericPrincipal[honza(CN=idmusers,CN=Users,DC=lopaticka,DC=piskoviste,DC=bcv,idmusers,)]
Is it possible to adjust application to use username from methods getRemoteUser() or getUserPrincipal() instead of the login form ?
The similar feature already exists when the username is in HTTP header.
It can be activated by these configuration parameters:
idm.sec.core.authentication-filter.core-sso-authentication-filter.enabled=true idm.sec.core.authentication-filter.core-sso-authentication-filter.header-name=REMOTE_USER idm.sec.core.authentication-filter.core-sso-authentication-filter.uid-suffixes=@COMPANY.CZ
Updated by Jan Kolařík over 4 years ago
In case that kerberos server is not working, we need a fallback method to login to IdM app. Unfortunatelly tomcat doesn't allow to specify more than one <login-config><auth-method> per one webapp.
Neither setting 2 different tcp ports with different authorization schemas is possible.
sources:
http://tomcat.10.x6.nabble.com/How-to-configure-SPNEGO-authentication-with-fallback-to-FORM-auth-td5052243.html
https://stackoverflow.com/questions/6150443/multiple-login-config-for-java-webapp
https://stackoverflow.com/questions/34142746/is-tomcat-capable-of-using-mixed-authentication-on-one-app-basic-and-client-cer
https://stackoverflow.com/questions/17673634/tomcat-multiple-authentication-schemes-for-a-single-web-application
According to this documentation, jboss supports fallback method, but I didn't test it:
https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform/6.3/html/security_guide/configure_spnego_fall_back_to_form_authentication
Updated by Radek Tomiška over 4 years ago
- Target version set to Rhyolite (9.7.13)
I will implement new authentication filter - this implementation will be provided to test in your environment.
Updated by Radek Tomiška over 4 years ago
- Status changed from New to In Progress
- Assignee changed from Jan Kolařík to Radek Tomiška
Updated by Radek Tomiška over 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Jan Kolařík
- % Done changed from 0 to 70
Authentication filter by remote user is implemeted, commit:
https://github.com/bcvsolutions/CzechIdMng/commit/1a072285ccc743fc512658ac605f7b9e94984bec
Integration test provided and tested localy by simple tomcat valve configuration. Configuration is almost the same as core-sso-authentication-filter, but all users can be logged (app_admin too).
Could you test this new filter in your environment, please? Code review will be done after.
Note: hotfix branch (link above) has to be built and deployed.
Updated by Jan Kolařík over 4 years ago
Hi Radek,
could you please provide me with the WAR file ? Thank you.
Updated by Radek Tomiška over 4 years ago
Yes, I can, but it's one command in maven :)
https://github.com/bcvsolutions/CzechIdMng/tree/develop/Realization/backend#build-and-deploy
War (snapshot) is here:
https://nexus.bcvsolutions.eu/#browse/browse:maven-snapshots:eu%2Fbcvsolutions%2Fidm%2Fidm-app%2F9.7.13-SNAPSHOT%2F9.7.13-20191202.091422-1%2Fidm-app-9.7.13-20191202.091422-1.war
Updated by Jan Kolařík over 4 years ago
I don't know why, but when I tried to download the above mentioned app-9.7.13-20191202.091422-1.war file from Nexus I got the error: "Filter undefined (maven-snapshots) not found".
But after couple tries and attemtps I succeeded to build the war file. I tested idm app with these additional settings:
idm.sec.core.authentication-filter.core-remote-user-authentication-filter.enabled=true idm.sec.core.authentication-filter.core-remote-user-authentication-filter.uid-suffixes=@LOPATICKA.PISKOVISTE.BCV #idm.sec.core.authentication-filter.core-remote-user-authentication-filter.forbid
I confirm that login into application works based on the username in serverlet.
Updated by Radek Tomiška over 4 years ago
Login into nexus is needed to read snapshots. But it's great, if you was able to build it.
Can we do a code review and close this ticket?
Updated by Jan Kolařík over 4 years ago
Yes, I consider this feature completed, thanks. Please perform the code review and close the ticket.
Updated by Radek Tomiška over 4 years ago
- Assignee changed from Jan Kolařík to Vít Švanda
- % Done changed from 70 to 90
Awesome, thx!
Vitek, could you do a feedback, please?
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/1a072285ccc743fc512658ac605f7b9e94984bec
Updated by Vít Švanda over 4 years ago
I did review. Looks simple and great. Thanks for that.
Updated by Radek Tomiška over 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
Updated by Radek Tomiška over 4 years ago
- Status changed from Resolved to Closed