Implementing SSO
Using the provided built-in Web portal
If you use the default built-in Web portal, you can customize your company logo and your CSS file.
The location of these files is:
<HAPEE_DIR>/sso/portal/logo.png
(orlogo.jpg
)
<HAPEE_DIR>/sso/portal/css.css
Implementing a custom Web portal
To implement a Web portal that displays a login form to the user, you only need a simple Web server that handles HTTP headers sent by HAProxy.
HAProxy Enterprise headers
Header | Description |
---|---|
| An action that can be any of the following:
|
| A message to display to the user |
| The domain |
| The application that the user wants to access. It is determined by the URL and the SSO agent. |
| The main URL of the application. The web server can include a link to this page to lead the user directly to the application. |
| If |
| This header redirects users to the page they want to access before being redirected to the authentication portal.
|
| Contains the URL that users want to access. You can redirect them to this URL after a successful authentication. |
Establish an authentication form
This HTML page must contain an HTML form to allow the user to enter his login and password and to select the domain to log on.
The POST
action must be able to post on the same URL.
A minimal form could be the following:
<form method="POST">
<input name="login" />
<input name="password" />
<select name="domain">
<option value="mydomain.net">My Domain</option>
</select>
<!-- optional field. It should contain the value extracted from the
X-SSO-REDIR_QS header -->
<input type="hidden" name="posted_redir" values="..." />
</form>
The POST
is done on the form backend and handled by HAProxy, which extracts the information and passes it on to the SSO agent.
Add SSO ability to an application
After you set up SSO, use the following procedure to add more applications:
-
Add a new domain:
You must add the new domain in a Web form of an HTML page. The user must be able to select it, and you must include its value in the POST.
-
To add an application if you use Kerberos with an Active Directory:
Add a new service user associated with the service principal name (SPN) of your application.
-
Create a new Keytab for the new SPN or add it to an existing Keytab.
On Windows:
ktpass /out myapp.keytab /mapuser <service-user>MYDOMAIN.NET /princ HTTP/myapp.mydonain.net@MYDOMAIN.NET /pass <PASSWORD>
Update the
keytab_file
directive, if needed.Add the application to
conf/sso.map
.In the configuration file
so.ini
, add the application section and attach it to the correct domain.Add the specified backend to
haproxy.cfg
.-
To check if a user is allowed to access an application, you must check that the
X-SSO-*
headers are as follows:X-SSO-APP: <name of the application>
X-SSO-DOMAIN: <name of the domain>
X-SSO-ACTION: alw
X-SSO-LOGIN: <user login> (SSO >= v1.2 or ALOHA >= 10.5.6)
Next up
Configuring SSO