Hi Alexandre,
If Apache can accept a Kerberos for authentication then this is certainly one way to consider. Verify Access can definitely provide a delegated Kerberos ticket to a backend server for authentication - that is how we integrate with Microsoft IIS. There's a video on this in the Security Learning Academy:
https://www.securitylearningacademy.com/course/view.php?id=2900However, if this is a new deployment, I would be more inclined to investigate using either OpenID Connect or sending a JSON Web Token (JWT) in an HTTP header. I know that these methods are supported by IBM WebSphere Liberty and so I would imagine they are also supported by Apache. The JWT used in both these cases can assert more than just a username - things like attributes and group memberships can be asserted too. It should be less overhead and more flexible than Kerberos.
Here's an article that talks about sending a JWT in HTTP header for authentication to WebSphere Liberty:
https://www.ibm.com/blogs/sweeden/isam-9-0-2-the-jwt-sts-module-and-junction-sso-to-websphere-liberty/Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Fri May 07, 2021 12:32 PM
From: Alexandre Gammaro
Subject: Kerberos using Apache
Hi all,
I have a scenario that the reverse proxy of the ISVA needs to do SSO with a application hosted in Apache.
Has anyone done ISVA's SSO integration with Apache? what protocol did you use? are able to share the procedures? Kerberos is a good way?
Regards,
------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal
------------------------------