The Shibboleth IdP V4 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP5 wiki space for current documentation on the supported version.
Single sign-on Browser configuration
Configure your browser to authenticate using the "system logon credentials" (Kerberos authentication mechanism):
Mozilla Firefox
To access the Firefox settings, enter about:config into the Address bar and press [Enter]. This will bring up a long list of customizable preferences for the current installation of the browser.
You need to add the FQDN (fully qualified domain name) of the IdP Server into the list of trusted URIs:
network.negotiate-auth.trusted-uris - FQDN of the IdP Server.
In the "Login page" can you find the right FQDN:
Firefox - Advanced configuration
Attention: These options are for "advanced" users only!
If your OS do not have a GSSAPI integrated (like some Linux distributions). You can specify which external library you desire with:
network.negotiate-auth.gsslib - (default: empty) - Specifies a alternate GSSAPI shared library.
network.negotiate-auth.using-native-gsslib - Inform if the "native" (true) or the external (false) GSSAPI library will be used.
For example:
Here are other settings concerning negotiate/authentication:
network.negotiate-auth.delegation-uris (default: empty) - For which FQDN credential delegation will be allowed (trusted).
network.negotiate-auth.allow-proxies (default: true) - Enables proxy authentication using the negotiate method.
network.auth.use-sspi (only on Windows, default: true) - Whether to use Microsoft's SSPI library, if disabled use GSSAPI
DEBUG: To start the firefox with more debug information, you can use a script like this:
#!/bin/bash
export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/var/log/firefox.log
firefox
Internet Explorer and Edge
These browsers must be configured to enable single sign-on (SSO) support. SSO only works using trusted URL's.
Open the Internet Options in the Control Panel. Alternatively, start Internet Explorer and choose Internet Options in the Tools menu.
Select the Security tab, select the Local intranet and press the Sites button.
We need to add the FQDN of the IdP Server to the trusted list.
Press the Advanced button.
This opens a dialog where the FQDN of IdP Server can be added
In the "Login page" can you find the right FQDN. Wildcards are also supported e.g. *.host_b.com:
configure the automatic authentication handling in the browser. Go back to the Security tab and select the Custom Level.
Scroll down to the bottom in the settings and make sure that Logon is set to Automatic only in intranet zone.
If the browse is the Internet Explorer version 6 or later we must manually enable the SPNEGO SSO.
Select the Advanced tab, scroll down to the Security section.
Now the browser should be setup correctly.
Chrome
Windows
For Chrome on Windows, follow the instructions for Internet Explorer and Edge. Chrome on Windows uses the global Internet Options settings.
Linux and Mac
To config chrome you need to start the application the following parameter:
auth-server-whitelist - Allowed FQDN - Set the FQDN of the IdP Server. Example:
chrome --auth-server-whitelist="*aai-logon.domain-a.com"
In the "Login page" can you find the right FQDN:
Safari
No additional configuration is needed
Opera
Opera may not support Kerberos authentication. (We don't know.)