Kerberos authentication
The Remedy Single Sign-On administrator can configure the IP addresses of the users by using Remedy SSO Admin Console. Kerberos authentication is performed only for these configured IP addresses. When a user tries to log in through a realm with Kerberos authentication, Remedy SSO server validates the IP address of that user with the configured IP address range. If the configured IP address range contains the IP of that user, then the user is authenticated through Kerberos authentication, else the user is either authenticated through the next IdP in the authentication chain, or redirected to an error page. For more information about how to configure the IP address range(s), see Configuring-Kerberos-authentication.
The Kerberos architecture consists of the following entities and several modular services:
- Clients that need to use services provided by a server
- Servers that provide services to clients
- Key Distribution Center that manages the Kerberos protocol, such as generation of session keys.
Kerberos authentication flow
The following table provides the Kerberos authentication login flow:
Stage | Description |
|---|---|
1 | An end user accesses the protected application from a client such as a web browser. |
2 | The Remedy SSO agent redirects the user to Remedy SSO server. |
3 | The Remedy SSO server sends the client a 401 unauthorized request by setting the header to www-authenticate:Negotiate. |
4 | The client obtains a Kerberos service ticket from the Key Distribution Center (KDC) by using the ticket-granting ticket (TGT). |
5 | The client sends the service ticket to the Remedy SSO server in a special HTTP header called Authorization. The value of this header looks like the Negotiate base64 (token) header. |
6 | The Remedy SSO server validates the token with KDC. |
7 | The Remedy SSO server creates a session for the user’s access request. |
8 | The end user accesses the protected application. |