Has anyone implemented Single Sign On SPNEGO with Phoenix?
I am trying to authenticate windows users without login. In fact, using IE, they should be able to connect, and be authentified via their windows credentials without the need to fill a login form.
I have seen I will need to play with Kerberos, or NTLM2, and I guess I need to do this with plugs.
I have looked at uWSGI, but it’s outdated…
Does anyone has already done similar authentication?
Thanks for taking time and for any clues.
I am just considering phoenix (not written any code yet), and this is one major requirement for me to easily deploy in our corporate environment. Have you made any progress on this?
I just looked at the flask-kerberos package:
to send a 401 response seems easy with:
, but of course this is just the “beginning” of the whole process (https://www.ietf.org/rfc/rfc4559.txt)
As stated above I have no clue yet, but would be interested in discussing possible solutions.
Maybe at first just use a python-kerberos package in combination with Guardian and custom responses via plugs? Or just make custom calls to the MIT-Kerberos package?
I did find some available packages, but did not test them yet. I need to communicate with ADFS 3.0 serving as Idp.
Project was postponed, because of covid-19, but I will soon need to make it work
Thank you for these packages.
I’ll have to read into the different implementations of SSO, I know that we use Kerberos with key_tab - but you see my knowledge is limited. Maybe I can put together some snippets from these packages.
I just added:
|> put_resp_header("WWW-Authenticate", "Negotiate")
|> send_resp(401,"some body stuff")
to the tutorials sample code in the controller. The first of many problems is solved , i now have to enter my password.
But that does certainly not helping you too much. Wishing you good luck! I’ll let you know if I find the golden bullet
BTW It’s kind of funny, we are from the same country
Ah I didn’t see that… it seems that we are a friendlier crowd than one would think - Good to know that Elixir is “landing” here
We’re working on a a Samly -> ADFS connection at work; seems to be going well apart from some oddities with
RelayState not being sent. There’s a fix for that merged but not released; for now we’re working around it with a plug that ensures the parameter is present.
Just a follow up, I ended up putting ngnix in front for the kerberos part. Works quite niceish till now. At our place ADFS is just available from outside but not from the internal network. I hope you found a way too.