icingaweb2 icon indicating copy to clipboard operation
icingaweb2 copied to clipboard
verified publisher icon Icinga

Kerberos: authenticate only once, use cookies afterwards

Open Thomas-Gelf opened this issue 9 years ago • 1 comments

Strategy:

  • provide a dedicated route checking REMOTE_USER, dealing with AuthMemCookie or similar
  • provide a related Apache config sample, allowing Kerberos-authenticated access to above route
  • configure a related error-route in case Kerberos auth fails (and try to avoid loops ;) )

This helps to get rid of superfluous 401 replies on every single request.

(not urgent, please ask me for details when starting work on this)

Thanks, Thomas

NB: @qxsch

Thomas-Gelf avatar Mar 01 '17 14:03 Thomas-Gelf

This sounds like it could be extended into nice support for multiple auth strategies.

Icingaweb2 could show a nice login dialog with each button linking to e.g. /auth/ldap or /auth/oidc:

image

Apache could handle these endpoints, do the actual auth, and provide X-Remote-User to Icingaweb2. It would handle all /auth/* URLs in the same way, setting up a session cookie, and redirect to the dashboard after login.

I'd love that, as we could add SSO for all users, but keep a fallback login for super administrators when everything else is down.

jgraichen avatar Apr 18 '24 12:04 jgraichen