Forum OpenACS Q&A: SingleSignOn Implementation

Request notifications

Collapse
Posted by Sabine St. on
Hello!

I'm trying to implement a single sign on to our OpenACS web application, where users who are logged in on windows and have an ActiveDirectory user, should be logged in automatically at the web application.

We are using NaviServer 4.99.

I have already installed openldap and with ns_authpam I can let the user login with his AD login credentials and get further information about the user from ldap.

I tried to use kerberos (and got a keytab file from the AD provider for our domain) for the SSO but I'm not getting any information about if the user is authorized from the header. For aolserver I found spnego which could help maybe, but I did not find something like that for naviserver.

Has somebody experience with that or know what modules/tools should be used?

Collapse
Posted by Brian Fenton on
Hi and welcome
Collapse
Posted by Brian Fenton on
Oops, hit return too soon.

Hi and welcome.

I believe this should work with the TWAPI SSPI package http://twapi.sourceforge.net/v4.0/sspi.html

You may need ASN too http://docs.activestate.com/activetcl/8.6/tcllib/asn/asn.html

best wishes
Brian

Collapse
Posted by Sabine St. on
Thanks!

I forgot to mention, that we use Ubuntu 14.04 on our Server where the NaviServer is installed.

The AD is on another Server installed.

TWAPI SSPI requires Windows.

Collapse
Posted by Gustaf Neumann on
Here is a short summary of the solution: We have ported the knspnego module of aolserver [1] to NaviServer. SPNEGO [2] is an implementation of Simple and Protected GSSAPI Negotiation Mechanism. SPNEGO is used in Microsoft's "HTTP Negotiate" authentication extension. SPNEGO was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication.

The implementation of NaviServer (and aolserver) module is based on the Apache module mod_spnego [3] and supports Kerberos. I have just helped porting and compiling the module. Sabine says that it works nice for Single-sign-on for their customers. The NaviServer modules is available from [4]

-gn

[1] http://aolserver.cvs.sourceforge.net/viewvc/aolserver/knspnego/
[2] https://en.wikipedia.org/wiki/SPNEGO
[3] https://sourceforge.net/projects/modspnego/
[4] https://bitbucket.org/naviserver/knspnego