On Sun, 10 Mar 2019, Alex Corcoles via FreeIPA-users wrote:
Massive thread necromancy but...
On Sun, 2018-11-25 at 12:21 +0100, Alex Corcoles wrote:
2) SSO
What is the special sauce for users using a browser on an IPA-joined
system to log in to apps without even seeing a login form? SPNEGO?
I'm using mod_auth_gssapi for some apps, having httpd do the
authentication and forward it through REMOTE_USER, but it doesn't do
the magic. There are some hints on mod_auth_gssapi's docs, but
nothing
really clear.
Playing around with my Ipsilon install I found the problem of my setup.
I was doing:
ipa service-add nagios/my.host
but I needed to use:
ipa service-add HTTP/my.host
apparently if you don't name it HTTP, the keytab works but doesn't do
SSO.
Yes, the naming of Kerberos principals is more or less historical. All
browsers only request service tickets to HTTP/<hostname> principal. If
you expect browsers to utilize GSSAPI, your target Kerberos service
principal must be HTTP/.. according to
https://tools.ietf.org/html/rfc4559 section 4.1.
If you are using custom protocol, it is up to client and server to
establish a common agreement how the principal name should be
constructed.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
