Wednesday, May 19, 2021

SSO with Apache and Kerberos authentication

I'm sharing another use case, "Kerberos + HEADER-based application SSO" implementation experience with Apache and Keberos module. There are times you end up working with a custom authentication & Single Sign-On solution to an application despite modern authentication mechanisms.

One such situation is providing seamless access to an application when accessing from an Active Directory domain-joined machine. It technically means leveraging the Kerberos token from the device and authenticates the user into the HEADER-based application.

Utilizing Apache web server, Kerberos module, and apache rules, we can provide a Single Sign-On experience to the users accessing the application from an AD domain-joined machine.

I am assuming that the Apache web server is installed, enabled mod_auth_kerb module, and configure the application to allow the REMOTE_USER header to login.

The first thing is to generate a keytab file for your Apache server using the ktpass command.

Example command:

ktpass -princ HTTP/<<HOSTNAME>>@<<DOMAIN>> -mapuser apache -crypto All -DesOnly -pass <<password>> -ptype KRB5_NT_PRINCIPAL -out apache.keytab

I had configured Apache 2.4.6 in RHEL 7.9 with the Kerberos module with the below VirtualHost to use auth_kerb_module and rules to read and set Request HEADER application in the "httpd" conf file.

<VirtualHost *.80 *.443>

ServerName <<ServerName>>

<Location />

AuthType Kerberos

KrbMethodNegotiate On

KrbMethodK5Passwd On

KrbServiceName HTTP/<<HOSTNAME>>@<<DOMAIN>>

KrbAuthRealms <<DOMAIN>>

Krb5KeyTab /etc/apache.keytab

KrbLocalUserMapping On

require valid-user


RewriteEngine On

RewriteCond %{LA-U:REMOTE_USER} (.+)

RewriteRule . - [E=RU:%1]

Header add X-Remote-User "%{RU}e" env=RU

RequestHeader set REMOTE_USER %{RU}e

</Location>


SSLProxyEngine On

SSLProxyVerify none

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off


ProxyRequests Off

ProxyPreserveHost On

ProxyPass / https://<<Application_HOST_NAME>>:<PORT>/

ProxyPassReverse / https://<<Application_HOST_NAME>>:<PORT>/

</VirtualHost>


Bounce the apache server and try to access the application from the AD joined machine.

Thanks

Siva Pokuri.

Posted by No comments:
Labels: , , , , , ,

Friday, February 5, 2021

How To Correct Microsoft Azure AD IdP SAML Metadata for Qlik Sense printing module SAML integration

 When uploading Azure AD SAML metadata to a service provider you might get below error message -  

*********************************************************************

SAML xml metadata validation failed with the following error: This is an invalid xsi:type 'http://docs.oasis-open.org/wsfed/federation/200706:SecurityTokenServiceType'” SAML xml metadata validation failed with the following error: This is an invalid xsi:type 'http://docs.oasis-open.org/wsfed/federation/200706:SecurityTokenServiceType'.

****************************************************************************

Quick solution is that to remove <RoleDescriptor section from the metadata file and try to upload the metadata again.

Thanks

Siva Pokuri. 

Posted by 1 comment:
Labels: ,

Tuesday, January 19, 2021

Azure AD Powershell command to query group with DirSyncEnabled attribute

There are times you want to know synched or cloud only groups.

Command to search synched groups - 

Get-AzureADGroup -All $true | where-Object {$_.DirSyncEnabled -eq $TRUE}

Command to search cloud only groups - 

Get-AzureADGroup -All $true | where-Object {$_.DirSyncEnabled -eq $NULL}

Funny enough that DirSyncEnabled attribute contains "TRUE" (if it's synched group) "NULL" (if cloud only)

Thanks

Siva Pokuri.

Posted by No comments:
Labels: , ,
Subscribe to: Posts (Atom)