diff options
| author | QuaSoft <info@quasoft.net> | 2019-11-23 01:33:31 +0200 |
|---|---|---|
| committer | Lauris BH <lauris@nix.lv> | 2019-11-23 01:33:31 +0200 |
| commit | 7b4d2f7a2aa3af093571628f979bdc939f10890c (patch) | |
| tree | f9abd74c01d006892f5474557cb545e4f60dfe71 /docs | |
| parent | eb1b225d9a920e68ce415b9732b4ec1d9527a2a2 (diff) | |
| download | gitea-7b4d2f7a2aa3af093571628f979bdc939f10890c.tar.gz gitea-7b4d2f7a2aa3af093571628f979bdc939f10890c.zip | |
Add single sign-on support via SSPI on Windows (#8463)
* Add single sign-on support via SSPI on Windows
* Ensure plugins implement interface
* Ensure plugins implement interface
* Move functions used only by the SSPI auth method to sspi_windows.go
* Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected
* Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links.
* Update documentation for the new 'SPNEGO with SSPI' login source
* Mention in documentation that ROOT_URL should contain the FQDN of the server
* Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing)
* Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources)
* Add option in SSPIConfig for removing of domains from logon names
* Update helper text for StripDomainNames option
* Make sure handleSignIn() is called after a new user object is created by SSPI auth method
* Remove default value from text of form field helper
Co-Authored-By: Lauris BH <lauris@nix.lv>
* Remove default value from text of form field helper
Co-Authored-By: Lauris BH <lauris@nix.lv>
* Remove default value from text of form field helper
Co-Authored-By: Lauris BH <lauris@nix.lv>
* Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates
* Remove code duplication
* Log errors in ActiveLoginSources
Co-Authored-By: Lauris BH <lauris@nix.lv>
* Revert suffix of randomly generated E-mails for Reverse proxy authentication
Co-Authored-By: Lauris BH <lauris@nix.lv>
* Revert unneeded white-space change in template
Co-Authored-By: Lauris BH <lauris@nix.lv>
* Add copyright comments at the top of new files
* Use loopback name for randomly generated emails
* Add locale tag for the SSPISeparatorReplacement field with proper casing
* Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields
* Update docs/content/doc/features/authentication.en-us.md
Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com>
* Remove Priority() method and define the order in which SSO auth methods should be executed in one place
* Log authenticated username only if it's not empty
* Rephrase helper text for automatic creation of users
* Return error if more than one active SSPI auth source is found
* Change newUser() function to return error, letting caller log/handle the error
* Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed
* Refactor initialization of the list containing SSO auth methods
* Validate SSPI settings on POST
* Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page
* Make 'Default language' in SSPI config empty, unless changed by admin
* Show error if admin tries to add a second authentication source of type SSPI
* Simplify declaration of global variable
* Rebuild gitgraph.js on Linux
* Make sure config values containing only whitespace are not accepted
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/content/doc/features/authentication.en-us.md | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/docs/content/doc/features/authentication.en-us.md b/docs/content/doc/features/authentication.en-us.md index afa9219676..be2e32db63 100644 --- a/docs/content/doc/features/authentication.en-us.md +++ b/docs/content/doc/features/authentication.en-us.md @@ -216,3 +216,42 @@ configure this, set the fields below: - Log in to Gitea as an Administrator and click on "Authentication" under Admin Panel. Then click `Add New Source` and fill in the details, changing all where appropriate. + +## SPNEGO with SSPI (Kerberos/NTLM, for Windows only) + +Gitea supports SPNEGO single sign-on authentication (the scheme defined by RFC4559) for the web part of the server via the Security Support Provider Interface (SSPI) built in Windows. SSPI works only in Windows environments - when both the server and the clients are running Windows. + +Before activating SSPI single sign-on authentication (SSO) you have to prepare your environment: + +- Create a separate user account in active directory, under which the `gitea.exe` process will be running (eg. `user` under domain `domain.local`): + +- Create a service principal name for the host where `gitea.exe` is running with class `HTTP`: + - Start `Command Prompt` or `PowerShell` as a priviledged domain user (eg. Domain Administrator) + - Run the command below, replacing `host.domain.local` with the fully qualified domain name (FQDN) of the server where the web application will be running, and `domain\user` with the name of the account created in the previous step: + ``` + setspn -A HTTP/host.domain.local domain\user + ``` + +- Sign in (*sign out if you were already signed in*) with the user created + +- Make sure that `ROOT_URL` in the `[server]` section of `custom/conf/app.ini` is the fully qualified domain name of the server where the web application will be running - the same you used when creating the service principal name (eg. `host.domain.local`) + +- Start the web server (`gitea.exe web`) + +- Enable SSPI authentication by adding an `SPNEGO with SSPI` authentication source in `Site Administration -> Authentication Sources` + +- Sign in to a client computer in the same domain with any domain user (client computer, different from the server running `gitea.exe`) + +- If you are using Chrome, Edge or Internet Explorer, add the URL of the web app to the Local intranet sites (`Internet Options -> Security -> Local intranet -> Sites`) + +- Start Chrome, Edge or Internet Explorer and navigate to the FQDN URL of gitea (eg. `http://host.domain.local:3000`) + +- Click the `Sign In` button on the dashboard and choose SSPI to be automatically logged in with the same user that is currently logged on to the computer + +- If it does not work, make sure that: + - You are not running the web browser on the same server where gitea is running. You should be running the web browser on a domain joined computer (client) that is different from the server. If both the client and server are runnning on the same computer NTLM will be prefered over Kerberos. + - There is only one `HTTP/...` SPN for the host + - The SPN contains only the hostname, without the port + - You have added the URL of the web app to the `Local intranet zone` + - The clocks of the server and client should not differ with more than 5 minutes (depends on group policy) + - `Integrated Windows Authentication` should be enabled in Internet Explorer (under `Advanced settings`) |