Hi guys,
I want to give my users the possibility to login to rt through an
SSO-mechanism (here: kerberos).
It works fine if I require a Kerberos -ticket in through apache2.
However, I would like to either have the people type their username /
password in the HTML-Login form
or click a button to login with the Kerberos ticket.
Thus on the apache side all rt is unprotected.
I created a new directory KrbAuth (beside html/NoAuth) which you have to
have the Krb-Ticket to access.
I copied the Login.html from NoAuth to KrbAuth/Login.html
and then call AttemptExternalAuth() instead of
AttemptPasswordAuthentication()
This, however does not work. I do login, get the correct username etc,
but the RT-session is not properly setup.
Is something like this possible at all and if, how do I do it ?
Many thanks,
Ciao
Luca
I want to give my users the possibility to login to rt through an
SSO-mechanism (here: kerberos).
It works fine if I require a Kerberos -ticket in through apache2.
However, I would like to either have the people type their username /
password in the HTML-Login form
or click a button to login with the Kerberos ticket.
I’d suggest either two Virtual Hosts, one which does the kerberos
tickets, or one domain using Satisfy so that people without kerberos
tickets drop through to RT’s login.
Have you reviewed
http://bestpractical.com/docs/rt/latest/authentication
Your technique of copying and fiddling with Login.html seems much more
complicated that it’s needed to be for anyone that we’ve set this up
for before. Most of the time folks just have a button on the normal
login page that runs them off to the shib or kerb auth points and then
back again and then RT notices you have REMOTE_USER and you’re good to
go.
-kevin
I want to give my users the possibility to login to rt through an
SSO-mechanism (here: kerberos).
It works fine if I require a Kerberos -ticket in through apache2.
However, I would like to either have the people type their username /
password in the HTML-Login form
or click a button to login with the Kerberos ticket.
I’d suggest either two Virtual Hosts, one which does the kerberos
tickets, or one domain using Satisfy so that people without kerberos
tickets drop through to RT’s login.
Have you reviewed
http://bestpractical.com/docs/rt/latest/authentication
Your technique of copying and fiddling with Login.html seems much more
complicated that it’s needed to be for anyone that we’ve set this up
for before. Most of the time folks just have a button on the normal
login page that runs them off to the shib or kerb auth points and then
back again and then RT notices you have REMOTE_USER and you’re good to
go.
-kevin
Hi Kevin,
thank you very much for your suggestions.
Unfortunately here I have some firewall restrictions
so 2 Virtual hosts could be difficult.
I will try to read
http://bestpractical.com/docs/rt/latest/authentication
Thank you again
Luca