Saturday, August 24, 2013

How does OpenAM work with Windows Desktop SSO ?

How does OpenAM work with Windows Desktop SSO ?

Or Kerberos Desktop SSO with OpenAM and Active Directory.
Or OpenAM and Windows Desktop SSO .
Or Using the windows desktop Single sign on with Openam.

Or OpenAM Windows Desktop SSO Authentication

On your openam IDP instance login and go to

Access control > realm (root or whichever realm you are using) >Authentication >

(Here I am showing you how to get windows desktop sso and in case it doesn’t work for some reason it will fall back to web login where  openam login screen will still allow you to login with user id password) If you just want windows desktop  sso this solution will still work just don’t use “ldapService” module in authentication chain  below.
1. You can create another module for Active Directory service as shown below and let’s call it as “DataStore”. (Here we assume you have already configured active directory)

2. Create new module instance of type windows desktop sso

Now click on your windowsDesktopSSO module instance and configure with your keytab files. (How to generate keytab files is a separate topic. Here I am assuming you have some knowledge of it already)

Now still on the same page Access control > realm (root or whichever realm you are using) >Authentication  
Go to “Authentication Chaining” section.
Create new authentication chaining called “WinDesktopSSOAuthChain”
Add windowsDesktopSSO module as primary module and for fall back add “DataStore” module which will use Active directory in case desktop sso fails. (If you don’t want  exclude Datastore module here)

Also we can create another authentication chain called “ldapservice” which will use you Active Directory (ie. Use the Data store module we created above)

So now when you are at Authentication tab you will see 
Two  module instances (DataStore, windowsDesktopSSO)
Two Authentication Chaining  items(WinDesktopSSOAuthChain and ldapservice)
All we now need to tell openam is what “authentication chain” to use for aunthentication.
Organization Authentication Configuration:==> WinDesktopSSOAuthChain
Administrator Authentication Configuration:===> ldapService

By doing this we are telling openam to use “ldapservice”  for Admin authentication and “winDesktopSSOAuth” chain for user’s verification.

Some more links that may be helpful

Once the above settings are done we still need to tweak the browser settings so that browser can send kerberos token.

Configuring the browser for SSO with OpenAM
or configuring Internet explorer for sso with OpenAm
or configuring Firefox for sso with OpenAm
or configuring Chrome for sso with OpenAm

Let’s assume the OpenAM idp url that you are using is

The OpenAM IDP returns a “401” authorization error to the browser. Each browser responds differently to this 401. What we want is for the browser to attempt authorization with the Kerberos data.
Internet Explorer

By default IE will automatically send your logged-on Windows credentials only to Intranet web sites. The OpenAM IDP can be manually added to the trusted list of Intranet sites until we can engage systems engineering to set it up as a web site that can be automatically recognized as Intranet (and therefore trusted).
1.       Check the User Authentication settings:  Click Tools – Internet Options – Security – Local Intranet. Click the “Custom Level” button, and scroll to the User Authentication section. 

1.       Add the IDP to the list of trusted intranet sites. Click Tools – Options – Local Intranet. Click the “Sites” button, and then click the “Advanced” button.

You may also do this via a manual registry update as shown below:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\\idp]

   Confirm Windows Integrated Security. Click Tools – Options – Advanced. Scroll down to the security section and ensure “Enable Integrated Windows Authentication” is checked. 

d  You are done with IE settings.

Configuring Chrome for sso with OpenAm
Chrome uses the same internet settings as IE, so once IE works, Chrome works too. To confirm this, click Settings, then type network into the search box. Click the “Change Proxy Settings” button. You should see the same Internet Explorer dialog.

Configuring FireFox for sso with OpenAm
When Firefox gets the 401, it can be configured to fall back to a negotiated authentication protocol that achieves SSO. Firefox must be configured to trust the OpenAM IDP for this negotiation to be successful. Launch Firefox, and in the address bar, type about:config

Click the “I’ll be careful” button. In the Search box, type network.negotiate to filter the configurations to only the network negotiation options. Change two values. Both values will be the same. Use the appropriate IDP for the environment you want to test in.
(1)    network.negotiate-auth.delegation-uris
(2)    network.negotiate-auth.trusted-uris

Note: If you have more than one URL that you need to add you can add a COMA SEPARATED LIST in firefox. (For this example I will consider another idp say

In order to make Firefox send the Kerberos ticket you can also use about:config to set 

With this configuration your windows desktop SSO setup should work.
If you liked this article or have suggestion or correction please post your valuable comments.

No comments:

Post a Comment