# How to Configure SSO for Active Directory

# SSO Information

There are two different kinds of single sign-on:

  1. Real-SSO
    The user has to be authenticated on a Windows Active Directory. The browser will process the login with Kerberos or NTLM. This service is a real-SSO service.

  2. Web-SSO
    The user has to login to the web service at least one time. The web service then allows further logins without interaction of the user.

# SSO Requirements

For AD and SSO, LDAP must be set up first. After that, a Tomcat and an Apache HTTPD for SSO must be installed and configured on a Windows server.

You also need:

  • access to Windows Server in the domain
  • a valid certificate for the Fully Qualified Domain Name (FQDN) of the SSO server:
    • In the cn (common name) and in the san (subject alternate name) of the certificate the FQDN must be set, so that there are no problems with different browsers.
    • The certificate must only be valid for 1 year so that it is accepted by all browsers.
    • Please note: The FQDN of the service should use HTTPS.
  • permission to download / install:
    • Java JDK 17
    • Apache HTTP Server ("HTTPD")
    • Apache Tomcat 9 (version 10 is currently not supported) Note that Tomcat needs to run with local system account.
    • authentication service file sso.war from admin snap-in Authentication/LDAP provider SSO extension.
  • User and password in the domain to read from Active Directory with LDAP protocol. You need to set them in fields manager_user and manager_password of admin snap-in Authentication/LDAP provider.

Please note: Our web application sso.war cannot run on a Linux system!

# Installation and Configuration

# Java JDK 17

  1. Download Java 17 from https://download.oracle.com/java/17/archive/jdk-17.0.1_windows-x64_bin.exe (tested with this version).

# Apache Tomcat and Web Service File

  1. Download and install the latest available version of Tomcat 9 (file ...windows-x64.zip) from https://dlcdn.apache.org/tomcat (tested with this version).
  2. Extract the archive to a folder, e.g. C:\tomcat_sso.
  3. Remove all contents from the folders logs, temp, work and all from the webapps folder except folder ROOT.

Configure file server.xml from Tomcat's folder conf like this:

  1. The ports have to be unique (if more than one Tomcat is installed).

  2. Add parameters for big responses (many groups) to <Connector ...>:

    maxHttpHeaderSize="65536"
maxHeaderCount="-1"

  3. Rename the service file tomcat9w.exe (bin folder) according to the name of your service.
    Example: If the name of your service is tomcat_sso, the filename must be tomcat_ssow.exe.

  4. Install the service. Open shell as an administrator and enter the following:

    cd C:\tomcat_sso\bin
set JRE_HOME=
set JAVA_HOME=C:\Program Files\Java\jdk-17.0.1
service.bat install tomcat_sso

  5. Download web service file sso.war from admin snap-in Authentication/LDAP provider SSO extension.

    • Rename the file and give it a custom name if you want, e.g. COMPANY_ABC_sso.war or sso-service.war.
    • Store the file in Tomcat's folder webapps. In the example sso-service.war is used.

  6. Execute tomcat_ssow.exe and configure the following:

    • General tab
      • startup type: automatic
    • Log on tab
      • Local system account (necessary for Kerberos SSO)
    • Java tab
      • Use default: off
      • Java Virtual Machine: C:\Program Files\Java\jdk-17.0.1\bin\server\jvm.dll
      • Initial memory pool: 256 MB
      • Maximum memory pool: 512 MB

  7. Start the tomcat service and check the log files for errors.

  8. Test the following URL from a web browser: http://localhost:8080/sso-service/sso/Login. sso-service due to sso-service.war. Login with a user from the domain when the browser authentication popup opens. The result should be a 32 character string. If not check the Tomcat logs for errors.

# User, Password, FQDN

Configure the Authentication Provider LDAP in admin snap-in Authentication/LDAP provider like described here.
Make sure to set the following parameters to enable SSO:

  • Field Manager username (manager_user): User in the domain to read the content from LDAP service.
  • Field Manager password (manager_password): Password for manager_user.
  • Field Single-sign-on URL (single_sign_on_url): Add the full qualified URL (FQDN) to this web service.
    Example: https://FQDN/sso-service

Please note: Make sure the password does not expire regularly.

# Apache HTTPD

The service needs HTTPS and CORS. This will be provided by an Apache webserver.

Enable CORS in admin snap-in General system configurations/Security and enter the full URL to the SSO service (with schema, FQDN, and port if needed), e.g. https://ssoserver.example.com:443.

Take a look at the following example configuration from ssoserver.example.com (configuration file from folder {httpd}/conf.d):

# File ssoserver.example.com.ssl.conf

<VirtualHost ssoserver.example.com:443>
  ServerName ssoserver.example.com

  SSLEngine on
  ErrorLog logs/ssoserver.example.com.ssl.error_log
  CustomLog logs/ssoserver.example.com.ssl.log common

  SSLCertificateFile "${SRVROOT}/conf/ssl/ssoserver.example.com.crt"
  SSLCertificateKeyFile "${SRVROOT}/conf/ssl/ssoserver.example.com.key"

  SSLProtocol All -SSLv2 -SSLv3
  SSLHonorCipherOrder On
  SSLCompression off
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

  BalancerPersist Off
  ProxyRequests Off
  ProxyErrorOverride On
  ProxyTimeout 3600

  <Location "/sso-service/sso/Login">
    Header unset Access-Control-Allow-Origin
    Header always unset Access-Control-Allow-Origin
    Header always set Access-Control-Allow-Origin "https://4allportal.example.com"
    Header unset Access-Control-Allow-Credentials
	Header always unset Access-Control-Allow-Credentials
    Header always set Access-Control-Allow-Credentials true
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
    <LimitExcept OPTIONS>
      Header always set Access-Control-Allow-Credentials "true"
    </LimitExcept>
    Header always add Access-Control-Allow-Headers "Content-Type, Accept"
    Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
  </Location>

  <Proxy *>
    Order allow,deny
    Allow from all
  </Proxy>

  RewriteEngine On
  
  <Proxy balancer://sso>
    BalancerMember http://localhost:8080
  </Proxy>

  ProxyPass /sso-service/ balancer://sso/sso-service/
  ProxyPassReverse / balancer://sso/
  
</VirtualHost>

Please note: Configuring the Location in file ssoserver.example.com.ssl.conf is very important.
Headers are set for web application sso-service. This allows JavaScript to access the service from the 4ALLPORTAL 4allportal.example.com.

# Configure Browsers for SSO

Some browsers need to be configured to allow SSO. The FQDN of the SSO web service has to be allowed.

# Mozilla Firefox

  • Access Firefox configuration via about:config as URL. Click "Accept the Risk and Continue".
  • Search for network.negotiate-auth.trusted-uris
  • Enter all URLs for which to allow SSO, separated by ,. In our example: https://ssoserver.example.com

# Mac OS X Chrome

  • Replace the FQDN with the URL to the SSO service in the strings. In our example: https://ssoserver.example.com.
  • Open terminal and execute the following commands:
    defaults write com.google.Chrome AuthServerWhitelist "FQDN"
defaults write com.google.Chrome AuthNegotiateDelegateWhitelist "FQDN"

Installation of the Authentication Service SSO