Single-sign on with Kerberos authentication
-------------------------------------------
Key: DOCU-231
URL: http://jira.magnolia-cms.com/browse/DOCU-231
Project: Documentation
Issue Type: Task
Security Level: Public
Components: content
Reporter: Antti Hietala
Assignee: Antti Hietala
Describe how to do SSO with Kerberos authentication.
Jira tickets such as MGNLLDAP-11 give the following advice:
{quote}
When user credentials are sent to LDAP/AD server, they can be encrypted in the
bind request and can't be seen across the network. You can configure the level
of security using java.naming.security.authentication in a configuration file.
These are the values supported by the default sun service provider:
* none
* simple (plain text)
* DIGEST-MD5
* EXTERNAL //not yet supported by the LDAP login module
* GSSAPI (Kerberos V5)
{quote}
You can implement Kerberos authentication by providing your own login callback
and handlers. There are [examples of callbacks in
SVN|http://svn.magnolia-cms.com/view/community/magnolia/branches/magnolia-4.4/magnolia-core/src/main/java/info/magnolia/cms/security/auth/callback/].
{quote}For URISecurity, NTLM (AD shared token - SSO) is a supported method and
other implementations are possible (Kerberos TTS, Digest). Provide
loginCallback and loginCallbackHandler to negotiate authentication with user
(see login, logout and uriSecurity filters at
Configuration:/server/filters).{quote}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
