Previous Topic

Book Contents

Book Index

Next Topic
SSO by Kerberos on Apache (as a sample of the HTTP header SSO method)

Kerberos is a network authentication protocol which provides a mechanism for authentication (and mutual authentication) between a client and a server, or between one server and another server.

To accomplish SSO by Kerberos running on Apache (running on Unix) in front of the Valuemation server, it is necessary to:

  1. Setup the Kerberos authentication module on the Apache server properly to protect the Valuemation URL.
  2. Set the defined HTTP header with the value of the authenticated username from the Kerberos module.

Help Image

  • VMWeb runs inside of Tomcat.
  • Tomcat is hidden behind the Apache web server.
  • Apache communicates with Tomcat via the 'MOD_JK' Apache module.
  • User is authenticated by Kerberos module installed on Apache.
  • Kerberos module uses a Kerberos ticket retrieved from the browser. The Kerberos ticket is acquired from Kerberos server during login of the user to his Desktop.
  • Kerberos module can be also configured to use the "Basic auth. mode" for cases when Kerberos ticket doesn't exist on Desktop (e.g. the user is not logged into Windows domain). In this mode the browser displays a built-in dialog for entering a username and the corresponding password. Kerberos module on Apache verifies these credentials against the Kerberos server.
  • Valuemation Web is configured to obtain the username from Apache and map it to the username used internally by Valuemation.
  • Kerberos module does not let the request to go further until the browser sends valid Kerberos authentication headers. Browsers send these headers only on the server demand, all requests that go through Kerberos module are send twice (first without the authentication headers and for the second time after the challenge with the authenticaiton headers). For this reason, Apache should be configured to use Kerberos module only for URL http://.../vmweb/login. After Valuemation creates the internal user session, it redirects browser to URL http://.../vmweb/vmweb which is not covered by the Kerberos module.

Online References

In This Chapter

Kerberos Authentication Setup on Apache

Sample Kerberos Setup with Valuemation

See Also

Examples of SSO Configurations

WAFFLE on Tomcat

SSO by SAML on Apache (as a sample of the HTTP header SSO method)