IBM Security Verify

 View Only
  • 1.  Kerberos using Apache

    IBM Champion
    Posted Fri May 07, 2021 12:32 PM
    Edited by Alexandre Gammaro Fri May 07, 2021 01:42 PM
    Hi all,

    I have a scenario that the reverse proxy of the ISVA needs to do SSO with a application hosted in Apache.
    Has anyone done ISVA's SSO integration with Apache? what protocol did you use? are able to share the procedures? Kerberos is a good way?

    Regards,

    ------------------------------
    Alexandre Gammaro
    CyberSecurity Especialist
    Triscal
    ------------------------------


  • 2.  RE: Kerberos using Apache

    Posted Mon May 10, 2021 04:47 AM
    Hi Alexandre,

    If Apache can accept a Kerberos for authentication then this is certainly one way to consider.  Verify Access can definitely provide a delegated Kerberos ticket to a backend server for authentication - that is how we integrate with Microsoft IIS.  There's a video on this in the Security Learning Academy: https://www.securitylearningacademy.com/course/view.php?id=2900

    However, if this is a new deployment, I would be more inclined to investigate using either OpenID Connect or sending a JSON Web Token (JWT) in an HTTP header.  I know that these methods are supported by IBM WebSphere Liberty and so I would imagine they are also supported by Apache.  The JWT used in both these cases can assert more than just a username - things like attributes and group memberships can be asserted too.  It should be less overhead and more flexible than Kerberos.

    Here's an article that talks about sending a JWT in HTTP header for authentication to WebSphere Liberty:
    https://www.ibm.com/blogs/sweeden/isam-9-0-2-the-jwt-sts-module-and-junction-sso-to-websphere-liberty/

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: Kerberos using Apache

    IBM Champion
    Posted Wed May 12, 2021 11:59 AM
    Edited by Alexandre Gammaro Wed May 12, 2021 12:17 PM
    Hi Jon,

    Very interesting, i will read this note that you mentioned.
    I cant use Kerberos, because Apache is the version 2.4 and doesnt exist a module to do that.
    Do you know if exist any course in Security Learning Academy about JWT and STS?
    I appreciate for you help.

    Regards,

    ------------------------------
    Alexandre Gammaro
    CyberSecurity Especialist
    Triscal
    ------------------------------