Questions tagged [single-sign-on]
Single Sign On is a technology that allows a single login to be transparently used with multiple applications and environments.
351
questions
48
votes
4
answers
87k
views
How does SSO with Active Directory work whereby users are transparently logged in to an intranet web app?
I'm told that it's possible to make a web application that does not require a login. The user logs in to Windows, which authenticates via an Active Directory (LDAP) Lookup. Then, they should be able ...
28
votes
6
answers
99k
views
Google Chrome: passthrough Windows authentication
The I.T. dept is considering allowing installation and automated deployment of Google Chrome browser to 100+ desktops. One of the requirements is for domain credentials to be passed through. The ...
21
votes
5
answers
29k
views
How practical is it to authenticate a Linux server against AD?
We utilise both Windows and Linux server at our software development company.
One of the friction points with this setup is that we don't have a single sign-on solution. Being more of a Microsoft ...
19
votes
3
answers
35k
views
Using SAML authentication within nginx
I want to restrict access to some static content, served using nginx, using an existing SAML 2.0 IdP. (In Apache, this would be done with a module such as mod_mellon or mod_auth_saml)
What is the ...
14
votes
7
answers
11k
views
Google Apps, AD and SSO
We're a small shop running Google Apps (Enterprise) for our email needs. Love it. Internally, we're using Windows AD (2003). No complaints there either.
I'd like to get some method of SSO going ...
13
votes
4
answers
6k
views
Can I use Office365 or Azure AD as master record for Active Directory?
We have a small business and currently don't have a need for a domain within our office. We have a basic network and a single server running Windows Server 2008 R2 with some file shares and 3rd party ...
12
votes
3
answers
18k
views
Apache mod_auth_kerb and LDAP user groups
I've been considering deploying mod_auth_kerb on our internal web servers to enable SSO. The one obvious problem I can see is that it's an all-or-nothing approach, either all your domain users can ...
11
votes
4
answers
42k
views
Apache Bad Request "Size of a request header field exceeds server limit" with Kerberos SSO
I'm setting up an SSO for Active Directory users through a website that runs on an Apache (Apache2 on SLES 11.1), and when testing with Firefox it all works fine.
But when I try to open the website in ...
10
votes
7
answers
16k
views
Can a Linux server serve as a Domain Controller for Windows Machines?
In a small office setup (5-6 employees) we have seven Windows XP and Windows Vista clients, as well as a couple of linux servers.
Is it possible to set up a linux machine to act as the domain ...
8
votes
3
answers
2k
views
Can ADFS connect to other SSO services?
I have a .net application that's wired up to my local ADFS server (connected to our corporate AD server) and everything is working fine. My question is, can my ADFS establish a trusted connection to ...
8
votes
3
answers
22k
views
Purpose of the x509 certificate in metadata files on the IdP side (SSO structure)
In order to implement SSO, I have been working with some IdP and a Shibboleth SP install without being able to answer this question.
On the IdP side I have a few metadata files that describes some ...
8
votes
2
answers
3k
views
Is single sign on with LDAP still recommended today to integrate a bunch of open source tools?
We are leading an exercise with a public institution to install different open source tools for them to experiment and see what suits them most.
Thus, we are installing:
a wiki (dokuwiki)
...
8
votes
1
answer
33k
views
What is the SAML Assertion Consumer URL for an AD FS 2.0 Service Provider
I am configuring a service provider to use SSO authentication. I will be using AD FS 2.0 for this.
What is the URL for the SAML Assertion Consumer that I need to give to the IdP?
I think it may be ...
7
votes
2
answers
3k
views
SSO solution and centralized user mgmt for about 10-30 Ubuntu machines?
I'm looking for a clean way to centralize user management. The setup:
About 10-30 linux machines (Ubuntu 10.04 LTS server)
Maybe 10-30 users for now.
The requirements (hopes and expectations):
A ...
7
votes
3
answers
6k
views
Single-Signon options for Exchange 2010
We're working on a project to migrate employee email from Unix/open-source (courier IMAP, exim, squirrelmail, etc) to Exchange 2010, and trying to figure out options for single-signon for Outlook Web ...
6
votes
3
answers
11k
views
MIT Kerberos keeps asking for password when authenticating to OpenSSH
I am trying to setup a simple Kerberos environment which consists of a Kerberos server (KDC), a client machine and a server machine running an OpenSSH daemon. The client is supposed to be ...
6
votes
1
answer
9k
views
How to force kerberos to use in memory credential cache?
MIT Kerberos supports multiple types of credential cache to store tickets
.
For example, if I want to use a persistent keyring per-user in kernel memory I can add the following to krb5.conf.
[...
5
votes
4
answers
20k
views
Keycloak blank page behind nginx reverse proxy
After unpacking and starting keycloak to listen on 127.0.0.1, I configured nginx to work as a reverse proxy accessible from a publicly available domain via https.
This is the nginx configuration:
http
...
5
votes
3
answers
5k
views
Single sign on with Apache and LDAP
I have a server running two web applications: Gerrit and Mantis BT. Now, these applications connect to an LDAP server to authenticate users and it works fine. But the user has to authenticate for each ...
5
votes
5
answers
344
views
Alleviating the Password Explosion Problem
Don't you just hate it when your password explodes, letting the magic smoke out of your server, and setting lp0 ablaze?
In all seriousness, the number of places a person needs a username and password ...
5
votes
3
answers
4k
views
Is there a way to setup oAuth with Openvpn or wireguard?
I'm looking to build a set of services that require a single sign on. Basically, you login to my oAuth provider, and you have access to an openvpn connection(or wireguard) and a website, without ...
5
votes
2
answers
5k
views
Azure AD SAML2 SSO wrong NameID format
I am trying to integrate a SaaS application with an autonomous (not federated with anything) Azure Active Directory for SSO purposes. The SaaS application (the Service Provider) is SAML2 compliant (SP-...
5
votes
1
answer
1k
views
Single Sign On and NFS permissions on Windows
Like many, I've been trying to move away from Microsoft Active Directory + CIFS file sharing into a custom LDAP solution + NFSv4. All the workstations here run Windows 7, and I have set up the ...
4
votes
3
answers
35k
views
Apache2, Kerberos: gss_accept_sec_context() failed: An unsupported mechanism was requested
I want to use Kerberos and Apache 2 on linux with mod_auth_kerb.
I added .htaccess to my project with following:
#SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
...
4
votes
1
answer
3k
views
Self Signed Certificate - Active Directory - Make it trustable to all users
I use Google Apps For Business + SingleSignOn, that means all my users login trough an internal interface instead of though gmail.com.
This SingleSignOn open source solution uses SAML protocol (i ...
4
votes
4
answers
767
views
Single sign-on for a mixed-OS network
I am handling a mixed network of SCO Openserver, Slackware and Windows XP computers. Right now, the primary user accounts are kept on one SCO computer with usernames and passwords synchronized to the ...
4
votes
3
answers
8k
views
Lotus Domino Active Directory Integration - Possible and Practical?
So about 3 months ago I "inherited" a Lotus Domino setup, and quite frankly, it's a mess. Historically, it's had 10 years of the primary focus being on development rather than on management and ...
4
votes
1
answer
4k
views
How To Use Amazon Cognito As An SSO OpenID Identity Provider
We currently use Google as an OpenID identity provider to our web platform. We need to move away from it. I discovered Amazon Cognito (we already use EC2/S3 and the rest).
I discovered the ...
4
votes
2
answers
4k
views
Open Directory and SAML Identity Provider
Our office has switched almost entirely from Windows to Mac OS X, and our local server is due for replacement. We use Active Directory basically just for user authentication. We're considering ...
4
votes
1
answer
3k
views
Can I put /etc/passwd, /etc/group and /etc/shadow on an NFS share?
OK, this may be a dumb question but I'm wondering if I can export /etc/passwd, /etc/group and /etc/shadow from an NFS server and mount those files over the local ones on the client machine. The goal ...
4
votes
1
answer
5k
views
Single Sign On for intranet with Apache and Linux MIT Kerberos
EDIT: SOLVED! See my answer below.
Greetings, I am looking for a way to do a single sign on to an intranet in the following manner:
A Linux user logs on via a graphical frontend (for example, GNOME)....
4
votes
2
answers
5k
views
ADFS - Combining Claims from Provider Trusts and AD
As part of implementing a SharePoint 2013 installation, I have configured SSO with ADFS on Windows Server 2012R2.
There are two separate AD forests, one as part of the Hosted SharePoint/ADFS and one ...
4
votes
1
answer
550
views
Active Directory reversible encryption for single sign-on?
Problem: Creating and maintaining hundreds of student accounts
The school where I work runs Active Directory on Server 2008. Every year, our students have to sign up for accounts with a third-party ...
4
votes
1
answer
2k
views
Credentials can not be delegated - Alfresco Share
I've hit a brick wall configuring Alfresco 4.0.d on Redhat 6.
I'm using Kerberos authentication, it seems to be working normally, and single sign on is working on the main alfresco app itself. I've ...
4
votes
2
answers
6k
views
Using ADFS 2.0 for Google apps single sign on
Microsoft Active Directory Federation Services 2.0 has been recently released, and it has passed interoperability tests for SAML 2.0.
Does this mean that is can be used to authenticate users of ...
4
votes
0
answers
2k
views
Windows Authentication to a Remote Server within an Intranet Environment
I have several servers (all on the same DC) within an Intranet environment at my company. For simplicity, I'll focus my question on the IIS and SQL Servers. I have an IIS 7.5 web server and a remote ...
4
votes
0
answers
10k
views
Server not found in Kerberos database while getting credentials for imap
When running kvno imap/[email protected] get the following error:
kvno: Server not found in Kerberos database while getting credentials for imap/[email protected]
...
4
votes
1
answer
796
views
Intranet corporate SSO for webapps against Active Directory
I am trying to plan and implement a SSO solution in a corporate environment that serves intranet web applications running on CentOS:
Corporate portal (Drupal backend)
Project management (Project.NET)
...
4
votes
0
answers
622
views
Single Sign On through Citrix
I have a webserver running Windows 2008 R2 with IIS 7. The server is a member of the domain "mydomain.com". What I am trying to achieve is a SSO connection between the AD users and the web server. The ...
3
votes
2
answers
264
views
What is the term for single source authentication that is not Single Sign-On?
I've been using the term "Single Source" for authentication schemes that use a single authentication source (e.g. a single LDAP service) but are not Single Sign-on. i.e. You have to log on more than ...
3
votes
3
answers
49k
views
ADFS Passive Request = "There are no registered protocol handlers"
Im trying to configure ADFS to work as a Claim Provider (I suppose AD will be the identity provider in this case).
Just for simple testing, ive tried the following on windows server 2016 machine:
1) ...
3
votes
2
answers
3k
views
Office 365 with Azure AD - can I allow SSO for another 3rd party SAML app externally?
I'm shooting a little blind here in that I'm not an Azure expert and don't really mess with it yet beyond O365 and DirSync.
We have a 3rd party app written in Ruby on Rails that they are saying is ...
3
votes
3
answers
22k
views
ADFS and relying party token-signing certificates
I haven't quite gotten the grasp of relying party token-signing certificate's functionality with ADFS 2.0 / 3.0. Once the automatic self-signed certificate roll-over occurs (by default), there are ...
3
votes
1
answer
14k
views
problems creating a keytab file on win server
I am trying to create a keytab file. i see a warning
WARNING: pType and account type do not match. This might cause problems.
The command i use is
ktpass -princ HTTP/bloodhound.domain.com@...
3
votes
1
answer
7k
views
Apache2 + mod_auth_kerb: Key version number for principal in key table is incorrect
I have configured apache2 and mod_auth_kerb. I setted up my .htaccess in such way
# cat .htaccess
AuthType Kerberos
AuthName "Domain login"
KrbAuthRealms DOMAIN.COM
KrbMethodK5Passwd on
Krb5KeyTab /...
3
votes
2
answers
2k
views
Office 365 SSO with different internal and external domain names
I'm trying to get SSO to work with Office 365 and Sharepoint online and I'm getting really confused. My internal domain is "internal.com" and my external name is "external.com". external.com is added ...
3
votes
1
answer
4k
views
Can we configure ADFS for IDP initiated SSO
I'm looking for ways of integrating ADFS as a IDP for a SAML2 service provider. I have already configured the SAML2 provider with the verification certificates etc. And we used "Add Relying Party ...
3
votes
2
answers
3k
views
Using Shibboleth with ADFS doesn't work
I'm trying to familiarize myself with Shibboleth 2.5.3 and Active Directory Federation Services (tried both 2.0 and 3.0). What I'd like to achieve is having an Apache server authenticate against ADFS ...
3
votes
2
answers
6k
views
Linux SSO for multiple windows domains
I have successfully implemented SSO on apache for windows users in the same AD domain that the apache server is in:
AD domain = example.com
Linux server = linux.example.com
KDC = ad.example.com
I ...
3
votes
2
answers
20k
views
SSSD Authentication
I just built a test server running OpenSuSE 12.1 and am trying to learn how configure sssd, but am not sure where to begin to look for why my config cannot allow me to authenticate.
server:/etc/sssd ...