stackoom
  简体   繁体   中英

Spring Application with SSO using Windows Credentials(via Kerberos)

 原文  2022-06-14 16:26:20       spring/ spring-security/ active-directory/ single-sign-on/ kerberos

Question

I have a spring application with a login screen that authenticates credentials that the user has entered with users on our Active Ditectory(using LDAP). However I'd like to add the capability of SSO , specifically with the Windows Credentials that the user has entered upon logging into Windows.

I'm aware that since AD uses Kerberos it wouldn't be such a "hard" task to do and I've found one possible solution as to how to implement it , specifically this guide , with what I want to achieve being on this part of the page.

But honestly I don't seem to be able to understand how to implement it...

I have the following questions:

1)Which parts/classes should I implement for what I actually need , meaning which of the following classes are needed in reality?(AuthProviderConfig , SpnegoConfig , KerberosRestTemplate , KerberosLdapContextSource)

2)If all my users are on a Windows environment do I really need cached tickets(kinit) or keytab? In that case application.yml is also not needed , right?

3)What does the AD admin need to do on his side to configure/enable this SSO with Kerberos?(For the login screen Adapter that works I have the domain, url, rootDn, service user, user searchbase, service user password in my application properties)

Based on this thread , specifically on what the highest scored answer shows , I'm missing only step 1 and 2(I suppose?).

If anyone has maybe a better "guide" or tips that I can follow in order to implement this I'm all ears.

In any case thank you for your time and appreciate any feedback you could give me.

1 answers

solution1
 0  2022-06-28 09:41:34

I realised similiar task using tutorial:

https://www.baeldung.com/spring-security-kerberos

  1. You need modificate only WebSecurityConfig extends WebSecurityConfigurerAdapter - Add there Spnego filter from point 6.2 form this tutorial and beans with KerberosAuthenticationProvider. Spring has built-in kerberos machines that generate and decrypt spnego tokens themselves. On this case in filter you should authenticate all paths but In my case I used kerberos authentication on first time, and later I used JWT token what I had implemented before I implemented SSO.
  2. You need keytab file and ServicePrincipalName. You can generate it by kinit with user who have got access to users in AD.
  3. I found something like this: https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-kcd

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why is SSO not working with Kerberos using Spring Security? Spnego Kerberos Spring SSO Logout functionality in SSO spring kerberos Spring Security Kerberos SSO for a REST API (Tomcat) how to implement sso in my spring application using saml? SSO using Spring and CAS How to single sign out on Spring mvc application enabled SSO using Spring OAuth2? Sending credentials in secured spring-boot application using fetch API Spring WS client authenticate using kerberos How can I pass a Kerberos ticket to Spring Yarn application
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM