Configure SSO with SPNEGO


This page explains how Axway SSO agent can be configured to use Kerberos authentication and SPNEGO with Microsoft's "HTTP Negotiate" authentication extension to provide single sign on(SSO) capability. 



Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is a generic security service mechanism used in client-server communication to negotiate the security over their communication channel, for example, if an application client wants to authenticate to a remote server but neither party knows what authentication protocols the other supports. SPNEGO provides a mechanism for extending a Kerberos SSO environment to the web applications.


Kerberos is a network authentication protocol. It provides a strong cryptographic authentication against the devices which lets the client & servers to communicate in a more secured manner. It is used here as negotiable sub-mechanisms for SPNEGO.

Key Distribution Center

The authentication server in a Kerberos environment, based on its ticket distribution function for access to the services, is called Key Distribution Center (KDC).


Java Authentication and Authorization Service (JAAS) is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. Kerberos login module will be used by Axway SSO agent.

keytab file

A keytab is a file containing pairs of Kerberos principals and encrypted keys. It will be used to allow to automatically authenticate using Kerberos.

Login process with SSO SPNEGO


To activate SSO with SPNEGO:

  1. Create the SSO configuration file. It describes service provider configuration and additional properties for identity providers.

  2. Create Kerberos configuration file. It describes the JAAS implementation to do Kerberos authentication and references the keytab file.
  3. Activate the SSO agent SPNEGO configuration by referencing it into
reference set SSO config file into
# SSO configuration
# Configure the SSO in strict mode

SSO configuration file

Here's a full example of an SSO configuration file for SPNEGO usage:

Sample SSO configuration file (i.e axway-sso-service-provider.xml)
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <CertificateValidation pathValidation="false"/>
    <ServiceProvider entityId="spnegoSpAxwayTest" useAppSessions="true" filteredUri="/login" logoutUri="/ssoDisconnected"/>
        <KerberosIdentityProvider entityId="kerberos" configurationUrl="/PATH/TO/KERBEROS/FILE/krb5Login.conf">
                <RenameMapping source="userid" target=""/>

<CertificateValidation> element

This feature is not usable in association with a SPNEGO configuration. Must be disabled.

Attribute Description


(question) this feature is not activated. Value must be false

<ServiceProvider> element

Describes the service provider. Mandatory attributes:

Attribute Description

Sets the unique identifier of the service provider. As this identifier is only used for debugging purpose, any value is valid.


Delegates the session management to the application. See Session management for more information.

Value must be true


Specifies the URI of the SSO filter entry point for authentication.

Value must be "/login"


Althought it's not used, logout uri must be provided.

Value must be "/ssoDisconnected"

<KerberosIdentityProvider> element

Describes the entity that exchanges Kerberos messages with the SSO module. Mandatory attributes:

Attribute Description

The entityId and format attributes are used to uniquely identify the identity provider configuration. As only one identity provider is configured, any value is valid.


Specify the path of the Kerberos configuration file.

<Mappings> and <RenameMapping> elements

This element contains the mappings to apply on the identity provider attributes. For DI, map the relevant attribute from the IdP to its DI counterpart, so you can keep the attribute value.

Attribute Description


name of identity provider attribute

Currenlty, only userid is available


Possible values that will match user property on ADI side:

  • com.systar.userPrincipal.firstName
  • com.systar.userPrincipal.lastName
  • com.systar.userPrincipal.description

Kerberos configuration file

The Kerberos configuration file needed by the SSO agent must conform to the syntax of a JAAS Login Configuration File as the agent relies on the JAAS implementation to do Kerberos authentication. An example of such a file is given below:

Sample Kerberos JAAS configuration file (i.e krb5Login.conf) { required

Fields below must be customized:




Represents the Service Principal Name (SPN) of the application and must match the name registered in the KDC. Format must be HTTP/hostname@REALM.

This value (SPN) is case sensitive.


Path to the keytab file containing the secret key of the application. This file must be created from the KDC.

Anyone with read permission on a keytab file can use all the keys in the file. To prevent misuse, restrict access permissions this keytab file.

According to the documentation, other JAAS parameters can be configured for Kerberos modules. However, we advise you to keep same parameters as provided in the sample.

Related Links