I want to implement single sign-on to RT from a web application. Couldn’t find an existing discussion about this scenario and decided to create a new topic.
The easiest path seems to be:
- Create a JWT token in the web app
- Send a JS request to the RT server, where a JWT decoding module in Apache would populate REMOTE_USER from JWT token contents, so that RT automatically creates a user (via WebRemoteUserAuth / WebRemoteUserAutocreate) and sets a session cookie
- Redirect user to RT server.
The questions I have are:
Is this the best approach to implement SSO from a web application that has its own user accounts (i.e. no LDAP)?
Any suggestions which Apache module is best to use to set REMOTE_USER from JWT?
I assume cross-domain cookies shouldn’t be a major problem as we have the application running on same domain (i.e. app.domain.com and rt.domain.com) and this can be made to work with minor cookies/cross-domain headers adjustments on the RT end.
Is there an easier way? For example, something like passing a short-lived JWT in a GET/POST parameter seems to be a more reliable option by eliminating cross-domain cookies but I couldn’t figure out how to implement it using existing Apache modules and built-in RT features.