Adding a Kerberos Provider

Follow the steps below to add a Direct or Indirect Kerberos SSO Provider.

  1. In the Administration application, expand User Management and click SSO Config. Anzo displays the Single Sign On screen, which lists any existing providers. For example:

  2. Click the Add SSO Config button and select Kerberos Provider. Then choose Direct Kerberos Provider or Indirect Kerberos Provider, depending on the type of authentication that is used. The Create screen for that type of provider is displayed. For example:

  3. Configure the required properties and any optional settings as needed. The lists below describe the properties for Direct and Indirect providers.

    Direct

    • Title: This property sets the name for the connection that you are creating.
    • Description: This property can be used to provide a brief description of the provider configuration.
    • Enable on matched container ID: This property sets the list of container IDs to match. This provider will be active if the request container ID matches one of the listed container IDs. Click the field and select a container ID from the drop-down list. To specify multiple IDs, click the field again and select another value. To remove a container from the list, click the X on the right of the container name.
    • Service Principal: This property lists the service and DNS name for the Kerberos application. For authentication through the web browser, specify the service principal value in the following format: HTTP/FQDN@domain. For example, HTTP/server.example.com@example.com.

      The keytab file must contain the key for this service principal.

    • Keytab: This property specifies the .keytab file that lists the Kerberos principals and encrypted keys. Click the Keytab field to open the File Location dialog box and select the keytab file.
    • Realm: This property can be used to specify the Kerberos realm that the service principal maps to.
    • KRB Configuration: This property can be used to specify the path and file name for the krb5.conf file on the Kerberos instance. When not specified, the default location is /etc/krb5.conf.
    • KDC: This field can be used to specify the domain name for the Key Distribution Center.
    • Debug mode: This property controls whether Kerberos debug logging is enabled.
    • Enable on match regex: This property can be used to define regular expression rules for matching request URLs to enable. To add a rule, type an expression in the field and click Add. This provider will be active if the request URL matches any of the supplied expressions. If this field is blank, the provider will be active by default.
    • Disable on match regex: This property can be used to define regular expression rules for matching request URLs to disable. To add a rule, type an expression in the field and click Add. This provider will be inactive if the request URL matches any of the supplied expressions. If this field is blank, the provider will be active by default.
    • User Identifier: This property specifies the SSO provider attribute, such as email or username, to use for looking up users in the directory server.
    • Email Template regex: If an email attribute was specified as the User Identifier, this property can be used to specify a regular expression to use for identifying variations between email addresses stored by the SSO provider and email addresses returned by the directory server.
    • Email Template Replacement: This property can be used to define a replacement email template to use if there are variations found by Email Template regex.
    • User Template regex: If a username attribute was specified as the User Identifier, this property can be used to specify a regular expression to use for identifying variations between user names stored by the SSO provider and names returned by the directory server.
    • User Template Replacement: This property can be used to define a replacement user template to use if there are variations found by User Template regex.
    • Use username directly: This property controls whether the identity provider directly authenticates a user by validating a username and password or by validating an assertion about the user’s identity as defined by a separate identity provider.
    • Skip CSRF check: This property controls whether to perform or skip a cross-site request forgery (CSRF) check.
    • LDAP domain: This property identifies the LDAP domain to use for user lookup.
    • LDAP email property: This property defines the LDAP email property to use to find the associated user's dn. For example, http://openanzo.org/ontologies/2008/07/Anzo#ldapEmailInfo.
    • Principal Template: This property can be used to define the template to use for populating roles and returning user URIs.

    Indirect

    • Title: This property sets the name for the connection that you are creating.
    • Description: This property can be used to provide a brief description of the provider configuration.
    • Enable on matched container ID: This property sets the list of container IDs to match. This provider will be active if the request container ID matches one of the listed container IDs. Click the field and select a container ID from the drop-down list. To specify multiple IDs, click the field again and select another value. To remove a container from the list, click the X on the right of the container name.
    • Service Principal: This property lists the service and DNS name for the Kerberos application. For authentication through the web browser, specify the service principal value in the following format: HTTP/FQDN@domain. For example, HTTP/server.example.com@example.com.

      The keytab file must contain the key for this service principal.

    • Keytab: This property specifies the .keytab file that lists the Kerberos principals and encrypted keys. Click the Keytab field to open the File Location dialog box and select the keytab file.
    • Realm: This property can be used to specify the Kerberos realm that the service principal maps to.
    • KRB Configuration: This property can be used to specify the path and file name for the krb5.conf file on the Kerberos instance. When not specified, the default location is /etc/krb5.conf.
    • KDC: This field can be used to specify the domain name for the Key Distribution Center.
    • Debug mode: This property controls whether Kerberos debug logging is enabled.
    • Enable on login page: This property controls whether to display a link for this provider on the Anzo login screen.
    • Callback URL: This property specifies the URL that the provider should use to redirect users back to the Anzo application after a successful login. Include the full URL to the Anzo instance, through the proxy if one exists. Specify the URL in quotes and append the value with /anzo_authenticate, i.e., "hostname:port/anzo_authenticate".
    • Callback URL port replacement: This property can be used to define the port to use if the one specified in the Callback URL field is unavailable.
    • User Identifier: This property specifies the SSO provider attribute, such as email or username, to use for looking up users in the directory server.
    • IDP Logout Capable: This property can be used to indicate whether the SSO provider supports logging the user out of the IDP when they log out of Anzo.
    • Default to IDP Logout: This property controls whether to log a user out of the IDP by default when they log out of Anzo.
    • Logout URL Suffix: When Default to IDP Logout is enabled, this property can be used to specify the logout URL for the SSO provider. The [urlAfterLogout] placeholder is replaced with the SSO provider server URL.
    • Email Template regex: If an email attribute was specified as the User Identifier, this property can be used to specify a regular expression to use for identifying variations between email addresses stored by the SSO provider and email addresses returned by the directory server.
    • Email Template Replacement: This property can be used to define a replacement email template to use if there are variations found by Email Template regex.
    • User Template regex: If a username attribute was specified as the User Identifier, this property can be used to specify a regular expression to use for identifying variations between user names stored by the SSO provider and names returned by the directory server.
    • User Template Replacement: This property can be used to define a replacement user template to use if there are variations found by User Template regex.
    • Use username directly: This property controls whether the identity provider directly authenticates a user by validating a username and password or by validating an assertion about the user’s identity as defined by a separate identity provider.
    • Skip CSRF check: This property controls whether to perform or skip a cross-site request forgery (CSRF) check.
    • LDAP domain: This property identifies the LDAP domain to use for user lookup.
    • LDAP email property: This property defines the LDAP email property to use to find the associated user's dn. For example, http://openanzo.org/ontologies/2008/07/Anzo#ldapEmailInfo.
    • Principal Template: This property can be used to define the template to use for populating roles and returning user URIs.
    • Icon: This property can be used to include an SSO icon on the Anzo login screen. To select an image, click the Icon field and select Add File.
    • With State: This property controls whether information about the application's state is included in authentication requests.
  4. When you have finished configuring properties, click Save to save the provider setup.