SPNEGO SSO w/ Elixir/Erlang

Hello everyone,

Has anyone implemented Single Sign On SPNEGO with Phoenix?

I am trying to authenticate windows users without login. In fact, using IE, they should be able to connect, and be authentified via their windows credentials without the need to fill a login form.

I have seen I will need to play with Kerberos, or NTLM2, and I guess I need to do this with plugs.

I have looked at uWSGI, but it’s outdated…

Does anyone has already done similar authentication?

Thanks for taking time and for any clues.

1 Like

Hey Kokolegorille,

I am just considering phoenix (not written any code yet), and this is one major requirement for me to easily deploy in our corporate environment. Have you made any progress on this?

I just looked at the flask-kerberos package:

to send a 401 response seems easy with:
, but of course this is just the “beginning” of the whole process (https://www.ietf.org/rfc/rfc4559.txt)

As stated above I have no clue yet, but would be interested in discussing possible solutions.

Maybe at first just use a python-kerberos package in combination with Guardian and custom responses via plugs? Or just make custom calls to the MIT-Kerberos package?

Best Regards

I did find some available packages, but did not test them yet. I need to communicate with ADFS 3.0 serving as Idp.

Project was postponed, because of covid-19, but I will soon need to make it work :slight_smile:

1 Like

Thank you for these packages.

I’ll have to read into the different implementations of SSO, I know that we use Kerberos with key_tab - but you see my knowledge is limited. Maybe I can put together some snippets from these packages.

I just added:

|> put_resp_header("WWW-Authenticate", "Negotiate")
|> send_resp(401,"some body stuff")

to the tutorials sample code in the controller. The first of many problems is solved :rofl:, i now have to enter my password.

But that does certainly not helping you too much. Wishing you good luck! I’ll let you know if I find the golden bullet :wink:

1 Like

BTW It’s kind of funny, we are from the same country :slight_smile:

1 Like

Ah I didn’t see that… it seems that we are a friendlier crowd than one would think :wink: - Good to know that Elixir is “landing” here :wink:

We’re working on a a Samly -> ADFS connection at work; seems to be going well apart from some oddities with RelayState not being sent. There’s a fix for that merged but not released; for now we’re working around it with a plug that ensures the parameter is present.

1 Like

Just a follow up, I ended up putting ngnix in front for the kerberos part. Works quite niceish till now. At our place ADFS is just available from outside but not from the internal network. I hope you found a way too.

1 Like