Windows Desktop SSO Auth Tree Node

A Windows Desktop SSO auth node for ForgeRock's Identity Platform 6.5.2 and above. The Windows Desktop SSO node uses Kerberos authentication. The user presents a Kerberos token to AM through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol. The Windows Desktop SSO authentication node enables desktop single sign on such that a user who has already authenticated with a Kerberos Key Distribution Center can authenticate to AM without having to provide the login info again.

Project Readme

Windows Desktop SSO Node

A Windows Desktop SSO authentication node for ForgeRock's Identity Platform 6.5.2 and above. The Windows Desktop SSO node uses Kerberos authentication. The user presents a Kerberos token to AM through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol. The Windows Desktop SSO authentication node enables desktop single sign on such that a user who has already authenticated with a Kerberos Key Distribution Center can authenticate to AM without having to provide the login information again. Users might need to set up Integrated Windows Authentication in Internet Explorer or Microsoft Edge to benefit from single sign on when logged on to a Windows desktop.

Usage

To deploy this node, download the jar from the releases tab on github here. Next, copy the jar into the ../web-container/webapps/openam/WEB-INF/lib directory where AM is deployed. Restart the web container to pick up the new node. The node will then appear in the authentication trees components palette.

Windows Desktop SSO Node Configuration

  • Service Principal - The name of the Kerberos principal used during authentication. The format of the field is as follows: HTTP/openam.forgerock.com@AD_DOMAIN.COM
  • Key Tab File Path - The absolute pathname of the AD keytab file.
  • Kerberos Realm - The name of the Kerberos (Active Directory) realm used for authentication.
  • Kerberos Server Name - The hostname/IP address of the Kerberos (Active Directory) server.
  • Trusted Kerberos realms - List of Trusted Kerberos Realms for User Kerberos tickets.
  • Return Principal with Domain Name - Returns the fully qualified name of the authenticated user rather than just the username.
  • Lookup User In Realm - Validate that the user has a matched user profile configured in the data store.
  • Is Initiator - True, if initiator. False, if acceptor only. Default is True.

Example Flow

This flow will attempt to authenticate the user via Windows Desktop SSO. If unsuccessful, AM will request the username and password for login.

WINDOWS_SSO_FLOW

Project Information
Unsupported
Unverified
openam
authentication
authTreeNode
Frank.Gasparovic
here
here