How-to: Configure SAML/Kerberos for use in Browser

saml
sso
ucs-4-3
kerberos
ucs-4-4
howto

#1

How to Configure your Browser to use your Windows Login to authenticate via SAML/Kerberos.

Prerequisites

  • Your Windows Client has to be joined into the UCS Samba/AD
  • Your Ubuntu Client has to be joined via univention-domain-join

Step 1

Install the RootCA of your UCS domain into your OS certificate cache and/or your browser’s certificate cache.

Step 2

To allow Kerberos authentication at the identity provider, the Univention Configuration Registry variable saml/idp/authsource has to be changed from univention-ldap to univention-negotiate on your UCS master and each ucs-sso configured server.

Step 3

Your Kerberos ticket is a precious piece of information, like your password, so your browser won’t just send it everywhere. You need to configure a permission for any domain you want to use your login with.

Firefox
Open about:config and search for network.negotiate-auth.trusted-uris.
Change it’s value to ucs-sso.<DOMAIN>.<TLD>.

Chrome / IE / Edge
Go to the Windows System Control Panel and open Internet Options → Security → Local Intranet → Sites → Advanced and add https://ucs-sso.<DOMAIN>.<TLD>

You now should be able to open the UMC without further login.

See also:
http://docs.software-univention.de/manual.html#domain:saml


Kerberos-SAML-Integration mit UCS 4.3 an Ubuntu Clients
closed #2