Scenarios for Implementing Kerberos SSO

This section describes the different scenarios for implementing Kerberos SSO.

Implementing Kerberos SSO on an Appliance Connected to an AD

This section describes the process of implementing Kerberos SSO when an appliance utilizes authentication services of the local LDAP.

You can also login to the appliance without SSO by providing valid user credentials.

Steps to configure Kerberos SSO with a Local LDAP

Consider an appliance for which you are configuring SSO. Ensure that you perform the following steps to implement it.

  1. Import users from an external directory and assign SSO permissions.
  2. Configure SPN for the appliance.
  3. Create and upload the keytab file on the appliance.
  4. Configure the browser to support SSO.

Logging in with Kerberos SSO

After configuring the required settings, user enters the appliance domain name on the Web browser and clicks Sign in with SSO to access appliance. On successful authentication, the Dashboard of the appliance appears.

Example process

The following figure illustrates the SSO process for appliances that utilize the local LDAP.

SSO Implementation

  1. The user logs in to the domain with their credentials.

    For example, a user, Tom, logs in to the domain abc.com as tom@abc.com and password *********.

  2. Tom is authenticated on the AD. On successful authentication, he is logged in to the system.

  3. For accessing the appliance, the user enters the FQDN of the appliance on the Web browser.

    For example, esa1.protegrity.com.

  4. If Tom wants to access the appliance using SSO, then he clicks Sign in with SSO on the Web browser.

    A message is sent to the AD requesting a token for Tom to access the appliance.

  5. The AD generates a SPNEGO token and provides it to Tom.

  6. This SPNEGO token is then provided to the appliance to authenticate Tom.

  7. The appliance performs the following checks.

    1. It receives the token and decrypts it. If the decryption is successful, then the token is valid.
    2. Retrieves the username from the token.
    3. Validates Tom with the internal LDAP.
    4. Retrieves the role for Tom and verifies that the role has the SSO Login permissions. After successfully validating the token and the role permissions, Tom can access the appliance.

Implementing Kerberos SSO on other Appliances Communicating with ESA

This section describes the process of implementing Kerberos SSO when an appliance utilizes authentication services of another appliance. Typically, the DSG depends on ESA for user management and LDAP connectivity. This section explains the steps that must be performed to implement SSO on the DSG.

Implementing Kerberos SSO on DSG

This section explains the process of SSO authentication between the ESA and the DSG. It also includes information about the order of set up to enable SSO authentication on the DSG.

The DSG depends on the ESA for user and access management. The DSG can leverage the users and user permissions that are defined in the ESA only if the DSG is set to communicate with the ESA.

The following figure illustrates the SSO process for appliances that utilize the LDAP of another appliance.

Example process

  1. The user logs in to the system with their credentials.

    For example, John logs in to the domain abc.com as john@abc.com and password *********. The user is authenticated on the AD. On successful authentication the user is logged in to the system.

  2. For accessing the DSG Web UI John enters the FQDN of the DSG on the Web browser.

    For example, dsg.protegrity.com.

  3. If John wants to access the DSG Web UI using SSO, he clicks Sign in with SSO on the Web browser.

  4. The username of John and the URL of the DSG is forwarded to the ESA.

  5. The ESA sends the request to the AD for generating a SPNEGO token.

  6. The AD generates a SPNEGO token to authenticate John and sends it to the ESA.

  7. The ESA performs the following steps to validate John.

    1. Receives the token and decrypts it. If the decryption is successful, then the token is valid.

    2. Retrieves the username from the token.

    3. Validates John with the internal LDAP.

    4. Retrieves the role for John and verifies that the role has SSO Login .

      If ESA encounters any error related to the role, username, or token, an error is displayed on the Web UI. For more information about the errors, refer Troubleshooting.

  8. On successful authentication, the ESA generates a service JWT.

  9. The ESA sends this service JWT and the URL of to the Web browser.

  10. The Web browser presents this JWT to the DSG for validation.

  11. The DSG validates the JWT based on the secret key shared with ESA. On successful validation, John can login to the DSG Web UI.

Before You Begin:

Ensure that you complete the following steps to implement SSO on the DSG.

  1. Ensure that the Set ESA Communication process is performed on the DSG for establishing communication with the ESA.

    For more information about setting ESA communication, refer to section Setting up ESA Communication in the Protegrity Data Security Gateway User Guide 3.2.0.0.

  2. Import users from an external directory on the ESA and assign SSO and cloud gateway permissions.

  3. Configure SPN for the ESA.

  4. Create and upload the keytab file on the ESA.

  5. Enable Single Sign-on on the ESA.

  6. Export the JWT settings to all the DSG nodes in the cluster.

Next Steps:

After ensuring that the prerequisites for SSO in the DSG implementation are completed, you must complete the configuration on the DSG Web UI.

For more information about completing the configuration, refer to section LDAP and SSO Configurations in the Protegrity Data Security Gateway User Guide 3.2.0.0.

Exporting the JWT Settings to the DSG Nodes in the Cluster

As part of SSO implementation for the DSG, the JWT settings must be exported to all the DSG nodes that will be configured to use SSO authentication.

Ensure that the ESA, where SSO is enabled, and the DSG nodes are in a cluster.

To export the JWT settings:

  1. Log in to the ESA Web UI.

  2. Navigate to System > Backup & Restore.

  3. On the Export, select the Cluster Export option, and click Start Wizard.

  4. On the Data to import tab, select only Appliance JWT Configuration. Ensure that Appliance JWT Configuration is the only check box selected, and then click Next.

  5. On the Source Cluster Nodes tab, select Create and Run a task now, and click Next.

  6. On the Target Cluster Nodes tab, select all the DSG nodes where you want to export the JWT settings, and click Execute.

Implementing Kerberos SSO with a Load Balancer Setup

This section describes the process of implementing SSO with a Load Balancer that is setup between the appliances.

Steps to configure SSO in a load balancer setup

Consider two appliances, L1 and L2, that are configured behind a load balancer. Ensure that you perform the following steps to implement it.

  1. Import users from an external directory on the L1 and L2 and assign SSO login permissions.
  2. Ensure that the FQDN is resolved to the IP address of the load balancer.
  3. Configure SPN for the load balancer.
  4. Create and upload the keytab file on L1 and L2.
  5. Configure the browser to support SSO.

Logging in with SSO

After configuring the required settings, the user enters the FQDN of load balancer on the Web browser and clicks Sign in with Kerberos SSO to access it. On successful authentication, the Dashboard of the appliance appears.

Last modified January 21, 2025