Page History

...

Kerberos is a network authentication protocol designed by the Massachusetts Institute of Technology (MIT) for SSO in client-server environments, while SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) extends Kerberos SSO to web applications.  

This plugin source code is available in a new open source repository at https://github.com/jogetoss/. JogetOSS is a community-led team for open source software related to the Joget no-code/low-code application platform. Projects under JogetOSS are community-driven and community-supported, and you are welcome to contribute to the projects.

Test Environment

• Joget Server: Joget Workflow v5 Enterprise on Apache Tomcat 8 and Java 8

• Windows Server: Windows Server 2012 R2 Datacenter (running on VirtualBox within a NAT Network, downloaded from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2)

• Windows Client PC: IE11 on Windows 10 (running on VirtualBox within a NAT Network, downloaded from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) 

...

• Windows Server COMPUTER NAME is WIN-TKDH9LCHUUO 

• WINDOWS DOMAIN is windows.local

• DOMAIN USER is joget

• JOGET DOMAIN is joget.windows.local 

  
  

...

1. In Settings > General Settings, set the API Domain Whitelist to * to allow SSO requests to the Kerberos Directory Manager. 

   

4. Setup Client PC for SSO

...

1. In IE, click on Internet Options > Security > Local intranet site > Advanced and add the Joget domain e.g. http://joget.windows.local  

4.3 Test the SSO

1. If using Using the Kerberos Directory Manager plugin approach, access http://joget.windows.local/jw/web/json/plugin/org.joget.plugin.kerberos.KerberosDirectoryManager/service to SSO.

   If using the Spring Security Kerberos Extension approach, access http://joget.windows.local/jw/web/sso to SSO. 

   Info
   Please note that for the SSO to work properly: the client PC and Joget server must reside on different machines the Windows server and client PC must reside on the same Windows domain

...

• https://venkatsadasivam.com/2009/08/29/single-sign-on-in-java-platform/

• http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/

• http://projects.spring.io/spring-security-kerberos/

• https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html

• http://docs.oracle.com/javase/jndi/tutorial/ldap/security/gssapi.html

• http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part1.html#PART1

• https://docs.oracle.com/cd/E23943_01/web.1111/e13707/sso.htm#SECMG481

• https://stackoverflow.com/questions/25289231/using-gssmanager-to-validate-a-kerberos-ticket

...