Forum OpenACS Q&A: SingleSignOn Implementation

Request notifications

Posted by Sabine St. on

I'm trying to implement a single sign on to our OpenACS web application, where users who are logged in on windows and have an ActiveDirectory user, should be logged in automatically at the web application.

We are using NaviServer 4.99.

I have already installed openldap and with ns_authpam I can let the user login with his AD login credentials and get further information about the user from ldap.

I tried to use kerberos (and got a keytab file from the AD provider for our domain) for the SSO but I'm not getting any information about if the user is authorized from the header. For aolserver I found spnego which could help maybe, but I did not find something like that for naviserver.

Has somebody experience with that or know what modules/tools should be used?

Posted by Brian Fenton on
Hi and welcome
Posted by Brian Fenton on
Oops, hit return too soon.

Hi and welcome.

I believe this should work with the TWAPI SSPI package

You may need ASN too

best wishes

Posted by Sabine St. on

I forgot to mention, that we use Ubuntu 14.04 on our Server where the NaviServer is installed.

The AD is on another Server installed.

TWAPI SSPI requires Windows.

Posted by Gustaf Neumann on
Here is a short summary of the solution: We have ported the knspnego module of aolserver [1] to NaviServer. SPNEGO [2] is an implementation of Simple and Protected GSSAPI Negotiation Mechanism. SPNEGO is used in Microsoft's "HTTP Negotiate" authentication extension. SPNEGO was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication.

The implementation of NaviServer (and aolserver) module is based on the Apache module mod_spnego [3] and supports Kerberos. I have just helped porting and compiling the module. Sabine says that it works nice for Single-sign-on for their customers. The NaviServer modules is available from [4]