SSO (Single Sign-On) for RT

Anyone have any direction on how to set up SSO for RT for Windows Active Directory?

I am currently in the middle of following this set of directions from a SafeSquid app (https://www.safesquid.com/content-filtering/integrating-linux-host-windows-ad-kerberos-sso-authentication) that seems like it would mostly apply to set up the service principals, user accounts, etc. This seems like the best set of directions I could find, unless anyone knows of any that are better? Most sites seem to assume Kerberos is already set up and working with the appropriate permissions.

[https://www.safesquid.com/sites/default/files/swg-16-9W_1.png]https://www.safesquid.com/content-filtering/integrating-linux-host-windows-ad-kerberos-sso-authentication

Integrating a Linux Host with a Windows AD for Kerberos …https://www.safesquid.com/content-filtering/integrating-linux-host-windows-ad-kerberos-sso-authentication
www.safesquid.com
Validate that IP of all our systems are resolvable by our DNS provider. Add the Linux host safesquid1 as a New Host in the DNS server’s configuration such that it’s …

And I am using:

Set($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , undef);
Set($WebExternalGecos , undef);
Set($WebExternalAuto , undef);

with the ExternalAuth extension.

Also using nginx with mod_auth_kerb.

Thanks,

ts

Which version of RT are you running?

Sincerely,

Aaron Lush
Network Administrator
South Central Community School Corporation
(219) 767-2266 ext. 1111On Tue, May 17, 2016 at 12:06 PM, t s zzzz67@hotmail.com wrote:

Anyone have any direction on how to set up SSO for RT for Windows Active
Directory?

I am currently in the middle of following this set of directions from a
SafeSquid app (
https://www.safesquid.com/content-filtering/integrating-linux-host-windows-ad-kerberos-sso-authentication) that
seems like it would mostly apply to set up the service principals, user
accounts, etc. This seems like the best set of directions I could find,
unless anyone knows of any that are better? Most sites seem to assume
Kerberos is already set up and working with the appropriate permissions.

https://www.safesquid.com/content-filtering/integrating-linux-host-windows-ad-kerberos-sso-authentication
Integrating a Linux Host with a Windows AD for Kerberos …
https://www.safesquid.com/content-filtering/integrating-linux-host-windows-ad-kerberos-sso-authentication
www.safesquid.com
Validate that IP of all our systems are resolvable by our DNS provider.
Add the Linux host safesquid1 as a New Host in the DNS server’s
configuration such that it’s …

And I am using:

Set($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , undef);
Set($WebExternalGecos , undef);
Set($WebExternalAuto , undef);

with the ExternalAuth extension.

Also using nginx with mod_auth_kerb.

Thanks,

ts


RT 4.4 and RTIR Training Sessions https://bestpractical.com/training

  • Washington DC - May 23 & 24, 2016

Email Confidentiality Notice: This email message, including all
attachments, is for the sole use of the intended recipient(s) and contains
confidential information. If you are not the intended recipient, you may
not use, disclose, print, copy or disseminate this information. Please
reply and notify the sender, delete the message and any attachments and
destroy all copies.

4.2— Original Message —

From: “Lush, Aaron” alush@scentral.k12.in.us
Sent: May 17, 2016 1:15 PM
To: “t s” zzzz67@hotmail.com
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] SSO (Single Sign-On) for RT

Which version of RT are you running?

Sincerely,

Aaron Lush
Network Administrator
South Central Community School Corporation
(219) 767-2266 ext. 1111

On Tue, May 17, 2016 at 12:06 PM, t s <zzzz67@hotmail.commailto:zzzz67@hotmail.com> wrote:

Anyone have any direction on how to set up SSO for RT for Windows Active Directory?

I am currently in the middle of following this set of directions from a SafeSquid app (https://www.safesquid.com/content-filtering/integrating-linux-host-windows-ad-kerberos-sso-authentication) that seems like it would mostly apply to set up the service principals, user accounts, etc. This seems like the best set of directions I could find, unless anyone knows of any that are better? Most sites seem to assume Kerberos is already set up and working with the appropriate permissions.

[https://www.safesquid.com/sites/default/files/swg-16-9W_1.png]https://www.safesquid.com/content-filtering/integrating-linux-host-windows-ad-kerberos-sso-authentication

Integrating a Linux Host with a Windows AD for Kerberos …https://www.safesquid.com/content-filtering/integrating-linux-host-windows-ad-kerberos-sso-authentication
www.safesquid.comhttp://www.safesquid.com
Validate that IP of all our systems are resolvable by our DNS provider. Add the Linux host safesquid1 as a New Host in the DNS server’s configuration such that it’s …

And I am using:

Set($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , undef);
Set($WebExternalGecos , undef);
Set($WebExternalAuto , undef);

with the ExternalAuth extension.

Also using nginx with mod_auth_kerb.

Thanks,

ts

RT 4.4 and RTIR Training Sessions https://bestpractical.com/training

  • Washington DC - May 23 & 24, 2016

Email Confidentiality Notice: This email message, including all attachments, is for the sole use of the intended recipient(s) and contains confidential information. If you are not the intended recipient, you may not use, disclose, print, copy or disseminate this information. Please reply and notify the sender, delete the message and any attachments and destroy all copies.

How about any other way to simulate SSO? Our users simply don’t want to log in…

Such as, how long does an Active Directory login last before a user has to log in again? Is there a setting in RT_SiteConfig to extend that, maybe to forever?

Or, is there a way to detect the Windows username and pass that through without requiring login and authentication?

Thanks,

tsFrom: rt-users rt-users-bounces@lists.bestpractical.com on behalf of t s zzzz67@hotmail.com
Sent: Tuesday, May 17, 2016 1:18 PM
To: Lush, Aaron
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] SSO (Single Sign-On) for RT

4.2

Re: SSO with Windows/Domain-Login

You can use ntlm auth on your webserver and configure RT to user the Webserver Authentication https://docs.bestpractical.com/rt/4.2.12/authentication.html#WebRemoteUserAuth Chrome + IE support NTLM out of the box. Firefox needs some config: http://superuser.com/questions/664656/how-to-configure-firefox-for-ntlm-sso-single-sign-on

Ntlm with apache: http://modntlm.sourceforge.net/

Vinzenz Sinapius
Information Technology | Informationstechnik

tracetronic GmbH
Stuttgarter Str. 3
01189 DRESDEN
GERMANY

Phone: +49 351 205768-167
Fax: +49 351 205768-999
E-mail: vinzenz.sinapius@tracetronic.demailto:vinzenz.sinapius@tracetronic.de

Head Office | Hauptsitz: Stuttgarter Str. 3, 01189 DRESDEN, GERMANY
Managing Directors | Geschäftsführer: Dr.-Ing. Rocco Deutschmann, Dr.-Ing. Peter Strähle
Registration Court | Registergericht: Amtsgericht Dresden, HRB 23 086Von: rt-users [mailto:rt-users-bounces@lists.bestpractical.com] Im Auftrag von t s
Gesendet: Mittwoch, 18. Mai 2016 19:08
An: Lush, Aaron alush@scentral.k12.in.us; rt-users@lists.bestpractical.com
Betreff: Re: [rt-users] SSO (Single Sign-On) for RT

How about any other way to simulate SSO? Our users simply don’t want to log in…

Such as, how long does an Active Directory login last before a user has to log in again? Is there a setting in RT_SiteConfig to extend that, maybe to forever?

Or, is there a way to detect the Windows username and pass that through without requiring login and authentication?

Thanks,

ts

From: rt-users rt-users-bounces@lists.bestpractical.com on behalf of t s zzzz67@hotmail.com
Sent: Tuesday, May 17, 2016 1:18 PM
To: Lush, Aaron
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] SSO (Single Sign-On) for RT

4.2