Skip to content

Single Sign on (SSO) via GSSAPI#

For automatic login to i-doit within an intranet, authentication via Single Sign On (SSO) is the best option.

Conditions and assumptions#

The following conditions are the basis of this article:

  • i-doit is installed under GNU/Linux.
  • Active Directory (AD) on Windows Server 2008/2012 is used for authentication.

This article describes how to set up Single Sign On (SSO) under Apache web server using \mod-auth-gssapi.

Upper and lower case

The configuration is exactly case sensitive.

Configure Active Directory (AD)#

A user is generated in AD for SSO access. Example:

  • Server name of i-doit: idoit.mydomain.local
  • AD domain: addomain.local
  • SSO user: ssouser
  • Password: password

Configuration of the i-doit server#

Installation of all required packages

1
2
3
4
5
6
7
8
9
# Debian GNU/Linux or Ubuntu Linux:
sudo apt install msktutil libapache2-mod-auth-gssapi kinit krb5-user

Info:
Domain"REALM" angeben: addomain.local
Hostname"Passwortserver" mydomaincontroller

# Apache neustarten:
sudo systemctl restart apache2.service

Initial registration and creation of the keytab#

1
2
3
4
5
6
7
8
# Authentication of the server:
kinit <AD Administrator Account>

# Creating the keytab:
msktutil --server <AD Domain-Controller> --user-creds-only --update --use-service-account --service HTTP/idoit.mydomain.local --keytab /etc/apache2/apache_krb5.keytab --password <SERVICE ACCOUNT PASSWORD> --account-name ssouser

# Assign permissions for Apache
chmod 644 /etc/apache2/apache_krb5.keytab

Configure Apache Web Server#

This file will customize the new VHost configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
sudo nano /etc/apache2/sites-available/i-doit.conf

<Directory /var/www/html/>

        AuthType GSSAPI
        AuthName "i-doit Kerberos auth"
        GssapiBasicAuth On
        GssapiCredStore keytab:/etc/apache2/apache_krb5.keytab
        GssapiLocalName On

        Require valid-user

</Directory>

Afterwards restart Apache once so that the changes take effect

1
sudo systemctl restart apache2.service

To test the configuration, execute the following command:

1
kinit ssouser@ADDOMAIN.LOCAL