Configure SSO with SPNEGO

Introduction

This page explains how Axway SSO agent can be configured to use Kerberos authentication and SPNEGO with Microsoft's "HTTP Negotiate" authentication extension to provide single sign on(SSO) capability. 

Glossary

SPNEGO

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is a generic security service mechanism used in client-server communication to negotiate the security over their communication channel, for example, if an application client wants to authenticate to a remote server but neither party knows what authentication protocols the other supports. SPNEGO provides a mechanism for extending a Kerberos SSO environment to the web applications.

Kerberos

Kerberos is a network authentication protocol. It provides a strong cryptographic authentication against the devices which lets the client & servers to communicate in a more secured manner. It is used here as negotiable sub-mechanisms for SPNEGO.

Key Distribution Center

The authentication server in a Kerberos environment, based on its ticket distribution function for access to the services, is called Key Distribution Center (KDC).

JAAS

Java Authentication and Authorization Service (JAAS) is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. Kerberos login module will be used by Axway SSO agent.

keytab file

A keytab is a file containing pairs of Kerberos principals and encrypted keys. It will be used to allow to automatically authenticate using Kerberos.

Login process with SSO SPNEGO

Configuration

To activate SSO with SPNEGO:

  1. Create the SSO configuration file. It describes service provider configuration and additional properties for identity providers.

  2. Create Kerberos configuration file. It describes the JAAS implementation to do Kerberos authentication and references the keytab file.
  3. Activate the SSO agent SPNEGO configuration by referencing it into platform.properties:
reference set SSO config file into platform.properties
# SSO configuration
axway.sso.config.file=${com.systar.platform.conf.dir}/axway-sso-service-provider.xml
# Configure the SSO in strict mode
com.systar.photon.application.auth.ssoMode=strict

SSO configuration file

Here's a full example of an SSO configuration file for SPNEGO usage:

Sample SSO configuration file (i.e axway-sso-service-provider.xml)
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SSOConfiguration>
    <CertificateValidation pathValidation="false"/>
    <ServiceProvider entityId="spnegoSpAxwayTest" useAppSessions="true" filteredUri="/login" logoutUri="/ssoDisconnected"/>
    <IdentityProviders>
        <KerberosIdentityProvider entityId="kerberos" configurationUrl="/PATH/TO/KERBEROS/FILE/krb5Login.conf">
            <Mappings>
                <RenameMapping source="userid" target="com.systar.userPrincipal.email"/>
            </Mappings>
        </KerberosIdentityProvider>
    </IdentityProviders>
</SSOConfiguration>

<CertificateValidation> element

This feature is not usable in association with a SPNEGO configuration. Must be disabled.

Attribute Description

pathValidation

(question) this feature is not activated. Value must be false

<ServiceProvider> element

Describes the service provider. Mandatory attributes:

Attribute Description
entityId

Sets the unique identifier of the service provider. As this identifier is only used for debugging purpose, any value is valid.

useAppSessions

Delegates the session management to the application. See Session management for more information.

Value must be true

filteredUri

Specifies the URI of the SSO filter entry point for authentication.

Value must be "/login"

logoutUri

Althought it's not used, logout uri must be provided.

Value must be "/ssoDisconnected"

<KerberosIdentityProvider> element

Describes the entity that exchanges Kerberos messages with the SSO module. Mandatory attributes:

Attribute Description
entityId

The entityId and format attributes are used to uniquely identify the identity provider configuration. As only one identity provider is configured, any value is valid.

configurationUrl

Specify the path of the Kerberos configuration file.


<Mappings> and <RenameMapping> elements

This element contains the mappings to apply on the identity provider attributes. For DI, map the relevant attribute from the IdP to its DI counterpart, so you can keep the attribute value.

Attribute Description

source

name of identity provider attribute

Currenlty, only userid is available

target

Possible values that will match user property on ADI side:

  • com.systar.userPrincipal.firstName
  • com.systar.userPrincipal.lastName
  • com.systar.userPrincipal.email
  • com.systar.userPrincipal.description

Kerberos configuration file

The Kerberos configuration file needed by the SSO agent must conform to the syntax of a JAAS Login Configuration File as the agent relies on the JAAS implementation to do Kerberos authentication. An example of such a file is given below:

Sample Kerberos JAAS configuration file (i.e krb5Login.conf)
com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    principal="HTTP/myappserver.axlab.int@AXLAB.INT"
    keyTab="/PATH/TO/KEYTAB/sp.keytab"
    useKeyTab=true
    storeKey=true
    doNotPrompt=true
    isInitiator=false;
};

Fields below must be customized:

Field

Description

principal

Represents the Service Principal Name (SPN) of the application and must match the name registered in the KDC. Format must be HTTP/hostname@REALM.

This value (SPN) is case sensitive.

keyTab

Path to the keytab file containing the secret key of the application. This file must be created from the KDC.

Anyone with read permission on a keytab file can use all the keys in the file. To prevent misuse, restrict access permissions this keytab file.

According to the documentation, other JAAS parameters can be configured for Kerberos modules. However, we advise you to keep same parameters as provided in the sample.



Related Links