Set up the SSO Web Portal

Implement a custom Web portal

To implement a Web portal that displays a login form to the user, you only need a simple Web server that handles HTTP headers sent by HAProxy.

HAProxy headers

Header

Description

X-SSO-ACTION

An action that can be any of the following:

  • frm: display the authentication form to the user

  • fOK: display the confirmation page: You have now access to application {%app%}

  • dny: access denied

  • err: an error occurred

X-SSO-MSG

A message to display to the user

X-SSO-DOMAIN

The domain

X-SSO-APP

The application that the user wants to access. It is determined by the URL and the SSO agent

X-SSO-TITLE-PAGE

The main URL of the application. The web server can include a link to this page to lead the user directly to the application.

Establish an authentication form

This HTML page must contain an HTML form to allow the user to enter his login and password and to select the domain to log on.

The POST action must be to post on the same URL.

A minimal form could be:

<form method="POST">
  <input name="login" />
  <input name="password" />
  <select name="domain">
    <option value="mydomain.net">My Domain</option>
  </select>
</form>

The POST is done on the form backend and handled by HAProxy, which extracts the information and pass it on to the SSO agent.

Add SSO ability to an application

After you set up SSO, use the following procedure to add more applications:

  1. Add a new domain:

    • You must add the new domain in a Web form of an HTML page. The user must be able to select it, and you must include its value in the POST.

  2. To add an application, you configure it in the Active Directory:

    • Add a new service user associated with the service principal name (SPN) of your application.

    • Create a new keytab for the new SPN or add it to an existing keytab.

      On windows

      ktpass /out myapp.keytab /mapuser <service-user>MYDOMAIN.NET /princ HTTP/myapp.mydonain.net@MYDOMAIN.NET /pass <PASSWORD>
  3. Add it to conf/sso.map.

  4. In the configuration file so.ini, add the application section and attach it to the correct domain.

  5. Update the keytab_file directive, if needed.

  6. Add the specified backend to haproxy.cfg.