ILIAS SINGLE-SIGN-ON WITH APACHE AND KERBEROS



Similar documents
Security Provider Integration Kerberos Server

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Single Sign-on (SSO) technologies for the Domino Web Server

TopEase Single Sign On Windows AD

Security Provider Integration Kerberos Authentication

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

Authentication Methods

Configure the Application Server User Account on the Domain Server

SUSE Manager 1.2.x ADS Authentication

IceWarp Server - SSO (Single Sign-On)

v7.8.2 Release Notes for Websense Content Gateway

INUVIKA TECHNICAL GUIDE

Guide to SASL, GSSAPI & Kerberos v.6.0

1 Introduction. Windows Server & Client and Active Directory.

Migration of Windows Intranet domain to Linux Domain Moving Linux to a Wider World

Identity Management: The authentic & authoritative guide for the modern enterprise

Allowing Linux to Authenticate to a Windows 2003 AD Domain. Prepared by. Thomas J. Munn, CISSP 11-May-06

Smart Card Authentication. Administrator's Guide

CYAN SECURE WEB HOWTO. NTLM Authentication

SchoolBooking SSO Integration Guide

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Configuring Sponsor Authentication

Active Directory. By: Kishor Datar 10/25/2007

Using Single Sign-on with Samba. Appendices. Glossary. Using Single Sign-on with Samba. SonicOS Enhanced

RHEL Clients to AD Integrating RHEL clients to Active Directory

Active Directory 2008 Implementation. Version 6.410

Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS

Dell Compellent Storage Center

Use Enterprise SSO as the Credential Server for Protected Sites

Juniper Networks Secure Access Kerberos Constrained Delegation

Configuring IBM Cognos Controller 8 to use Single Sign- On

BlueCoat s Guide to Authentication V1.0

How to Configure Captive Portal

Contents. Introduction. Prerequisites. Requirements. Components Used

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

Collax Active Directory

Managing Identity & Access in On-premise and Cloud Environments. Ellen Newlands Identity Management Product Manager Red Hat, Inc

Active Directory Manager Pro New Features

CA Performance Center

WirelessOffice Administrator LDAP/Active Directory Support

Linux/Windows Security Interop: Apache with mod_auth_kerb and Windows Server 2003 R2

Embedded Web Server Security

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

If you are the recipient of an encrypted message, the following instructions will help you to decrypt your message. The California State University

Smart Card Authentication Client. Administrator's Guide

IWA AUTHENTICATION FUNDAMENTALS AND DEPLOYMENT GUIDELINES

TIBCO ActiveMatrix BPM Single Sign-On

Unity Application Suite SQL Server Database Integration

Configuring and Using the TMM with LDAP / Active Directory

Single sign-on enabled OpenCms

Using Integrated Windows Authentication with Websense Content Gateway, v7.6

BusinessObjects 4.0 Windows AD Single Sign on Configuration

Architecture Guidelines Application Security

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Entrust Managed Services PKI

SSSD Active Directory Improvements

How-to: Single Sign-On

Click Studios. Passwordstate. Installation Instructions

Windows Security and Directory Services for UNIX using Centrify DirectControl

Chapter 3 Authenticating Users

Active Directory 2008 Implementation Guide Version 6.3

PineApp Surf-SeCure Quick

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server.

Active Directory and Linux Identity Management

White Paper BMC Remedy Action Request System Security

TIBCO ActiveMatrix BPM Single Sign-On

Single Sign-On for Kerberized Linux and UNIX Applications

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Embedded Web Server Security

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

Kerberos -Based Active Directory Authentication to Support Smart Card and Single Sign-On Login to DRAC5

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

Click Studios. Passwordstate. Installation Instructions

HP Device Manager 4.7

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

Polycom RealPresence Resource Manager System Getting Started Guide

Plexcel Operator's Manual

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

HRSWEB ActiveDirectory How-To

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

How to Configure edgebox as a Web Server

Administration Quick Start

OpenHRE Security Architecture. (DRAFT v0.5)

Kerberos authentication made easy on OpenVMS

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION

4cast Server Specification and Installation

Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure

TIBCO Spotfire Platform IT Brief

Blue Coat ProxySG Authentication Guide. SGOS 6.5.x

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

User-ID Best Practices

Transcription:

ILIAS SINGLE-SIGN-ON WITH APACHE AND KERBEROS

OVERVIEW INTRODUCTION SITUATION GOALS TECHNICAL BACKGROUND CONFIGURATIONS CAVEATS RESULT OPTIONS 14.10.14 14.10.14 2 2 2

INTRODUCTION 1 14.10.14 14.10.14 3 3 3

INTRODUCTION SRH Berufliche Rehabilitation GmbH Reintegration of disabled People Trainings for Business-Administraton, Technology, IL Enable Participants for Jobs 2-Years Trainings and shorter Trainings About 550 Participants ILIAS in use since 2008, starting with 3.10, to current 4.4 14.10.14 14.10.14 4 4 4

INTRODUCTION SRH Berufliche Rehabilitation GmbH Campus Heidelberg Several Locations > From Kassel > To Friedrichshafen 14.10.14 14.10.14 5 5 5

INTORDUCTION Ingo Jackisch My Experiences > Trainer for networks and operating systems since 1993 > Communication to our external it provider > Coordination of internal support > Coordination of trainers > ILIAS administration 14.10.14 14.10.14 6 6 6

SITUATION 2 14.10.14 14.10.14 7 7 7

SITUATION User Accounts Accounts exist in Active Directory Managed by external support Multiple forests (realms) Linked to ILIAS by LDAP and Radius, automatical generation No different credentials für workstation and ILIAS login Partially role assignment for ILIAS by LDAP group membership 14.10.14 14.10.14 8 8 8

GOALS 3 14.10.14 14.10.14 9 9 9

GOALS Single-Sign-on for internal access Pass workstation login to ILIAS with no user interaction Standard ILIAS login for external access Least possible impact for the user interface Minimize administrative effort Keep all features (Live-Demo) 14.10.14 14.10.14 10 10 10

GOALS Single-Sign-on for internal access Kerberos External Browser Internal Browser Login/ Tickets Pass credentials ILIAS/ Apache 14.10.14 14.10.14 11 11 11

TECHNICAL BACKGROUND 4 14.10.14 14.10.14 12 12 12

TECHNICAL BACKGROUND ILIAS-login without Apache Standard ILIAS login: > Login page > ILIAS searches account and authentication data in database > (if needed) Query external sources (Radius,LDAP) > (if needed) Query role memberships externally 14.10.14 14.10.14 13 13 13

TECHNISCHE HINTERGRÜNDE ILIAS-login using Apache On entry of ILIAS site (or Login) > Try to access ILIASDIR/sso > Authentication by Apache server (.htaccess, siteconfiguration) > Any method Apache supports > Evaluate environment variables > Determine user account and load data > (if needed) gather LDAP data Problems when Apache fails 14.10.14 14.10.14 14 14

TECHNICAL BACKGROUND ILIAS-Login 14.10.14 14.10.14 15 15 15

TECHNICAL BACKGROUND Kerberos (simplified) Communication by encrypted tickets Kerberos knows the encryption keys of all participants > (own, user, workstation, ILIAS/ SPN) No direct communication ILIAS <-> Kerberos, except for initial key exchange Active Directory uses regular key renewals, but these are initiated by the workstation/ service 14.10.14 14.10.14 16 16 16

TECHNICAL BACKGROUND Kerberos (simplified) ILIAS Browser Kerberos > After access (or login) ILIAS requires credentials from the browser > Browser requires serviceticket for ILIAS > Kerberos constructs login information and session key, encrypts with SPN s key > Kerberos encrypts the ticket again with user s key Require logindata Fetch serviceticket Decrypt userdata Create/encrypt ticket for ILIAS Encrypt with user-key 14.10.14 14.10.14 17 17 17

TECHNICAL BACKGROUND Kerberos (simplified) ILIAS Browser Kerberos > Browser receives information from Kerberos > Browser decrypts user-ticket > The embedded serviceticket is passed to Apache > Apache decrypts serviceticket and determines user-account Ticket encrypted with ILIAS key Ticket encrypted with user key Login 14.10.14 14.10.14 18 18 18

CONFIGURATIONS 5 14.10.14 14.10.14 19 19 19

CONFIGURATIONS ILIAS- server /etc/krb5.conf Kerberos basic information Krb5.keytab Key for SPN Apache-site/.htaccess Authentication settings /etc/samba/smb.conf (if using Samba) 14.10.14 14.10.14 20 20 20

CONFIGURATIONS Active Directory (Kerberos) Machineaccount for SPN and keys, DNS 14.10.14 14.10.14 21 21 21

CONFIGURATIONS ILIAS Configure Apache login, possibly patches 14.10.14 14.10.14 22 22 22

CONFIGURATIONS ILIAS Configure Apache login, possibly patches 14.10.14 14.10.14 23 23 23

CONFIGURATIONS Browser Activate Kerberos negotiate > (Chrome: Option for Command line) 14.10.14 14.10.14 24 24 24

STANDARD- ILIAS/ PATCHES 6 14.10.14 14.10.14 25 25 25

STANDARD-ILIAS/ PATCHES Comparison Apache/ Kerberos works for ILIAS without modifications > Apache be default login > LDAP- Daten partially usable > User may see Apache- authentication window 14.10.14 14.10.14 26 26 26

STANDARD-ILIAS/ PATCHES Comparison With modification to the ILIAS source > Apache must not be the default login > LDAP- data and group memberships can be used for user information and role assignment > Standard login behaviour is not modified > No changes to public area > Mantis: http://www.ilias.de/mantis/view.php?id=13356 14.10.14 14.10.14 27 27 27

CAVEATS 7 14.10.14 14.10.14 28 28 28

CAVEATS Take care: Clocks for ILIAS and Kerberos must be syncronized > E.g. cronjob for ntpdate DNS- Queries must have consstent results > Possible porblems with cnames entries in lochal hosts file Active Directory uses key version serial numbers Kerberos realms must be written in UPPERCASE > Documentation http://www.ilias.de/docu/ goto_docu_pg_56871_367.html 14.10.14 14.10.14 29 29 29

RESULT 8 14.10.14 14.10.14 30 30 30

RESULT ILIAS with Kerberos implemented since May 2014 Positive feedback from users No changes in external access Internal access simplified Few administrative tasks after implementation 14.10.14 14.10.14 31 31 31

OPTIONS 9 14.10.14 14.10.14 32 32 32

OPTIONS More options Apache as only means of authentication > Multiple LDAP/RADIUS/ - sources > Combination of Kerberos and LDAP > Mulitple forests with and without trusts possible ILIAS- login still functional 14.10.14 14.10.14 33 33 33

14.10.14 14.10.14 34 34 34 THANK YOU