Help setting up SSO

Is there a simple way to setup SSO? All I have seen is through web server and Kerberos but I’m confused on if I need to setup Kerberos keys in AD or on the actual Linux server.

There are lots of different ways people do single sign on, which is why it probably seems confusing if you’re looking for documentation on just “SSO”. Throw in different web servers and needs for different sorts of users and things can get complicated. For example for our SSO we use mod_shib on Apache to talk SAML2 to an IdP server which then authenticates using LDAP against our ActiveDirectory. If you already have the IdP side of things set up and do SAML on service provider web servers regularly like we do, this is a quick and easy win for SSO. If you don’t, there’s a huge learning curve!

If you’re using Apache and just want to do Kerberos against the AD, you’ll probably need to look at as mod_auth_kerb is the module you’ll need in Apache. But as it says in the documentation for that module you need to have your Kerberos /etc/krb5.conf configured with realms, kdc, etc. You’ll need to generate a service key for your machine and put that in a keytab that the Apache module can access. Full details are in the “Configure” menu at the link above.

1 Like

I finally got time to set this all up but it doesn’t actually save your session after restarting your computer. Is there something I need to add to the web config?

Set($WebRemoteUserAuth, 1);
Set($WebRemoteUserContinuous, 1);
Set($WebRemoteUserAutocreate, 1);
Set($WebFallbackToRTLogin, 1);
Set($UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

    <Location />
            AuthType Kerberos
            AuthName "RT Kerberos"
            KrbAuthRealms XXXXXXX.XXXX
            Krb5Keytab /etc/XXX.keytab
            KrbMethodNegotiate Off
            KrbSaveCredentials Off
            KrbVerifyKDC Off
            Require valid-user

I finally got everything setup but is there a way to logout? Cause when I try to logout it automatically signs you back in (yes, SSO its supposed to).