SSO
Single Sign-On (SSO) automates the authentication process entirely, requiring no action from the user’s end. For instance, technologies like Kerberos seamlessly authenticate the user by retrieving session information from Windows, eliminating the need for the user to enter their login credentials. SSO enhances user experience by providing seamless and secure access to various services and applications without repetitive logins.
Kerberos Authentication
To enable Kerberos authentication and single sign on feature, you need to have an existing Kerberos infrastructure with a
Key Distribution Center and a Ticket Granting Service. You need to be able to create a service, construct a kerberos server configuration and export a keytab to perform the following configuration. This service must be on the kerberos realm used by your users and must match the dns name of the server hosting the XUC server (or the nginx reverse proxy server if you use one). For example, assuming you have a realm named MYDOMAIN
, you can create a service named HTTP/xuc.mydomain
and a dns entry for xuc.mydomain
pointing the server hosting the XUC.
Warning
The created domain name must be trusted by the user’s browser.
Prerequisites
Create a service for the XUC host, for example:
addprinc HTTP/xuc.mydomain
Export the keytab file, for example:
ktadd -k xuc.keytab HTTP/xuc.mydomain
Warning
The bash commands detailed here are for demonstration only and needs to be adapted to your specific environment. It shows how to create a service for the XUC Server named HTTP/xuc, associated to the example realm mydomain
.
Only the following encryption types are supported by XiVOCC:
aes256-cts-hmac-sha1-96
arcfour-hmac
des3-cbc-sha1
des-cbc-crc
XiVOCC Configuration
Copy the previously generated
xuc.keytab
keytab file to the server hosting the XUC docker container, for example:/etc/docker/kerberos/xuc.keytab
.Create or edit the file
/etc/krb5.conf
on the server hosting the XUC docker container and change settings according to your kerberos environment. For example, the file may contain (name and ip addresses must match your kerberos environment):[libdefaults] default_realm = MYDOMAIN [realms] MYDOMAIN = { kdc = 172.17.0.14 admin_server = 172.17.0.14 }
Edit the docker compose file
/etc/docker/compose/docker-xivocc.yml
to add the following configuration in the xuc section (file name, service name, password may differ on your setup):xuc: # ... environment: - JAVA_OPTS=-Dsecured.krb5.principal=HTTP/xuc.mydomain -Dsecured.krb5.password=xuc -Dsecured.krb5.keyTab=/etc/kerberos/xuc.keytab # ... volumes: - /etc/docker/kerberos:/etc/kerberos - /etc/krb5.conf:/etc/krb5.conf
Enable
Single Sign On
on the Agent, Manager, Web and Desktop application interface. Change the value of the following environment variables in the /etc/docker/compose/custom.env:# ... USE_SSO=true XUC_HOST=xuc.mydomain # ...
Browser configuration
The created domain name must be trusted by the user’s browser.
For Chrome (windows):
Internet Option : Add domain with protocol to the list of trusted sites : http://xuc.mydomain (and/or https://xuc.mydomain ).
Warning
Kerberos authentication on Chrome is only available on Microsoft Windows.
For Firefox:
Go to
about:config
add domain (without protocol) to the
network.negotiate-auth.delegation-uris
entry (ie.xuc.mydomain
).add domain (without protocol) to the
network.negotiate-auth.trusted-uris
entry (ie.xuc.mydomain
).