Skip to main content

Single sign-on

Header

Level: Advanced

Keywords: authentication, single sign-on, LDAP, login

The result: login to SAMO application using LDAP login credentials

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems. It is often accomplished by using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases on (directory) servers.

How LIDS uses it: importing domain accounts in to LIDS security to be able to use these sso principals to login automatically. So the users must be present in LIDS Security like firstname.surename@domain.com.

How to configure SSO?​

Get Keytab and Kerberos config files​

You have to get two files:

  • keytab for the particular server server.keytab
  • kerberos config file for the server krb5.ini (not always mandatory)

Define in ENV files​

Every environment can have its own parameters for Single sign-on, so parameters are saved in main env folder for that environment. For the local bundles empty sso_keytab, sso_krbconf are used.

env - configuration for GATEWAY
    sso_principal=HTTP/server.domain@DOMAIN

    sso_keytab=/usr/local/data/server.keytab
    sso_krbconf=/usr/local/data/krb5.ini

These files are saved in the data folder for SAMO (linux or windows structure) and the parameter path is from the view inside the Docker containers (/usr/local/data/...).

The configuration is used as ECA and SECA parameters, the environment must be re-build (docker-compose down, up) to get the changes working.

env - configuration for ECA, SECA
    SECA_ldap_synchronization_enabled=true
    SECA_ldap_domain=DOMAIN
    SECA_ldap_containers=<list><value>COMPANY|ou=Users,ou=Accounts,ou=Country,ou=COMPANY,dc=company,dc=local</value></list>
    SECA_ldap_query=(&amp; (objectClass=user) (| (sn=${searchText}) (givenName=${searchText})))

    ECA_kerberos_sso_service_principal=HTTP/server.domain@DOMAIN
    ECA_kerberos_sso_keytab_location=file:/usr/local/data/server.keytab

Define in tenants metadata (packages)​

Add following configuration in file ..\gateway\tenants\tenantName.json.

Tenant - configuration example
    {
        "applications" : {
            "applicationName" : {
                "sessionType"       : "memory",
                "sessionExpiration" : 3600000,
                "authenticationMethods" : [
                    {
                        "type" : "jwt"
                    },
                    {
                        "type" : "kerberos",
                        "servicePrincipal" : "{$sso_principal}",
                        "keytabLocation" : "{$sso_keytab}",
                        "krbConfLocation" : "{$sso_krbconf}",
                        "debug" : true
                    }
                ],
                "loginIdentityManagements" : [
                    "samo-lids-users",
                    "ldap"
                ]
            }
        },
        "users" :     {
            "identityManagement" : "samo-lids-users",
            "accountStatusIdentityManagement" : "ldap",
            "login" : {
                "allowErrorMessages" : true,
                "errorMessagesFilter" : [
                    "[-120]*",
                    "[-140]*"
                ]
            }
        }
    }