Forum OpenACS Q&A: SingleSignOn Implementation

Request notifications

Collapse
Posted by Sabine St. on
Hello!

I'm trying to implement a single sign on to our OpenACS web application, where users who are logged in on windows and have an ActiveDirectory user, should be logged in automatically at the web application.

We are using NaviServer 4.99.

I have already installed openldap and with ns_authpam I can let the user login with his AD login credentials and get further information about the user from ldap.

I tried to use kerberos (and got a keytab file from the AD provider for our domain) for the SSO but I'm not getting any information about if the user is authorized from the header. For aolserver I found spnego which could help maybe, but I did not find something like that for naviserver.

Has somebody experience with that or know what modules/tools should be used?

Collapse
Posted by Brian Fenton on
Hi and welcome
Collapse
Posted by Brian Fenton on
Oops, hit return too soon.

Hi and welcome.

I believe this should work with the TWAPI SSPI package http://twapi.sourceforge.net/v4.0/sspi.html

You may need ASN too https://core.tcl.tk/tcllib/doc/trunk/embedded/www/tcllib/files/modules/asn/asn.html

best wishes
Brian

Collapse
Posted by Sabine St. on
Thanks!

I forgot to mention, that we use Ubuntu 14.04 on our Server where the NaviServer is installed.

The AD is on another Server installed.

TWAPI SSPI requires Windows.

Collapse
Posted by Gustaf Neumann on
Here is a short summary of the solution: We have ported the knspnego module of aolserver [1] to NaviServer. SPNEGO [2] is an implementation of Simple and Protected GSSAPI Negotiation Mechanism. SPNEGO is used in Microsoft's "HTTP Negotiate" authentication extension. SPNEGO was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication.

The implementation of NaviServer (and aolserver) module is based on the Apache module mod_spnego [3] and supports Kerberos. I have just helped porting and compiling the module. Sabine says that it works nice for Single-sign-on for their customers. The NaviServer modules is available from [4]

-gn

[1] http://aolserver.cvs.sourceforge.net/viewvc/aolserver/knspnego/
[2] https://en.wikipedia.org/wiki/SPNEGO
[3] https://sourceforge.net/projects/modspnego/
[4] https://bitbucket.org/naviserver/knspnego

Collapse
Posted by Joshua Barton on
Can this package be used to prompt the user for a windows domain account that is different than the currently logged in user? I do not want to automatically log users in as sometimes we need to login as a different user that may not exist on the domain.
Collapse
Posted by Sabine St. on
Hello Joshua,

No this package is meant to login the user who is currenty logged in as a Single Sign On Solution.
If you want a Single Credential Solution where you can login any user from a specified AD, you can use openldap with ns_authpam. You have to build your own prompt form and check the input with ns_authpam.

best wishes,
Sabine

Collapse
Posted by Joshua Barton on
Thank you, I will have to look into that. I was really hoping I could try kerberos but it sounds like that isn't feasible.
Collapse
Posted by Gustaf Neumann on
We are using in learn@wu kerberos since more than 10 years in the large (via PAM) with a modified pam-tester module, that does the actual password checking. Our "persons" table has about 120k entries, about 30k are active. So, knspnego is not the only way to use kerberos in OpenACS,
Collapse
Posted by Frank Bergmann on
Hi,

This is how we do SSO in ]project-open[:

"Real" SSO Windows -> ]po[:

We implement "real" SSO in a Windows Server based infrastructure by a small Web site running on an M$ IIS a small .asp script that authenticates the user against the M$ domain.

sUser = Request.ServerVariables("AUTH_USER")

So we know who is the guy visiting this page. Then we generate a crypto-token and forward the user to a ]po[ page that checks the token. You can find these files in the ]po[ package intranet-core/www/single-sign-on/, available for anonymous from the ]po[ CVS server on HEAD.

So this is "real" SSO, because the user doesn't need to provide his or her password.

ActiveDirectory -> ]po[

As an alternative, ]po[ has a special package to authenticate a user against a Windows Active Directory called "auth-ldap-adldapsearch" and available from ]po[ CVS. This package is based on auth-ldap, but includes code specific for M$ Active Directory and the LDAP scheme they are using. It also includes code for parsing the AD user directory and to batch-import these users into OpenACS / ]po[.

All relevant code is available with GPL V2 or higher license.

Cheers,
Frank