Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 13. Configuring applications for a single sign-on
Single sign-on (SSO) simplifies authentication by allowing users to access multiple systems via a single login procedure. Configure applications like browsers and email clients to accept Kerberos tickets, SSL certificates, or tokens as valid credentials.
The configuration of different applications may vary. This chapter shows how to configure SSO authentication schema for the Mozilla Thunderbird email client and Mozilla Firefox web browser as the examples.
13.1. Prerequisites
Verify that the target system hosts the required versions of Mozilla Firefox and Mozilla Thunderbird before attempting configuration. Ensure these applications are installed and accessible to the user. Mozilla Firefox version 88 Mozilla Thunderbird version 78
13.2. Configuring Firefox to use Kerberos for single sign-on
Configure Firefox to negotiate Kerberos authentication with intranet sites. Adding specific domains to the trusted URI list in the configuration settings permits the browser to pass existing Kerberos credentials to the Key Distribution Center (KDC) automatically.
Even after configuring Firefox to pass Kerberos credentials, you still need a valid Kerberos ticket. To generate a Kerberos ticket, use the kinit command and supply the user password for the user on the KDC.
[jsmith@host ~] $ kinitPassword for jsmith@EXAMPLE.COM:Procedure
-
In the address bar of Firefox, type
about:configto display the list of current configuration options. -
In the Filter field, type
negotiateto restrict the list of options. - Double-click the network.negotiate-auth.trusted-uris entry.
Enter the name of the domain against which to authenticate, including the preceding period (.). If you want to add multiple domains, enter them in a comma separated list.
Manual Firefox Configuration
13.3. Viewing certificates in Firefox
By inspecting the Certificate Manager, users can verify currently installed authorities and personal credentials. This audit ensures the browser possesses the necessary trust anchors for secure connections.
You can view stored certificates in Mozilla Firefox to verify authentication settings.
Procedure
In Mozilla Firefox, open the Firefox menu and select Preferences.
In the left panel, select the Privacy & Security section.
- Scroll down to the Certificates section.
Click View Certificates to open the Certificate Manager.
13.4. Importing CA certificates in Firefox
Importing a Certificate Authority (CA) certificate establishes trust with external servers. Adding the CA file to the browser’s store enables secure, encrypted connections to websites and applications issued by that authority.
Prerequisites
- You have a CA certificate on your device.
Procedure
- Open Certificate Manager.
Select the Authorities tab and click Import.
Figure 13.1. Importing the CA Certificate in Firefox
- Select the downloaded CA certificate from your device.
13.5. Editing certificate trust settings in Firefox
Modify trust settings to define how the browser interacts with specific certificates. Adjusting these permissions determines if the browser validates the certificate for identifying websites or email users.
Prerequisites
- You have successfully imported a certificate.
Procedure
- Open Certificate Manager.
- Under the Authorities tab, select the appropriate certificate and click Edit Trust.
Edit the certificate trust settings.
Figure 13.2. Editing the Certificate Trust Settings in Firefox
13.6. Importing personal certificate for authentication in Firefox
Personal certificates identify the user to remote web services. Importing these files into the browser enables client-side authentication, allowing access to secure sites that require identity verification beyond simple passwords.
Prerequisites
- You have a personal certificate stored on your device.
Procedure
- Open Certificate Manager.
Select the Your Certificates tab and click Import.
Figure 13.3. Importing a Personal Certificate for Authentication in Firefox
- Import the appropriate certificate from your computer.
13.7. Viewing certificates in Thunderbird
By accessing the Certificate Manager in Thunderbird, users can audit stored security credentials. Reviewing these files ensures the email client contains the correct authorities and personal keys for encrypted communication.
Procedure
In Thunderbird, open the main menu and select Preferences.
Figure 13.4. Selecting Preferences from menu
In the left panel, select the Privacy & Security section.
Figure 13.5. Selecting security section
- Scroll down to the Certificates section.
Click Manage Certificates to open the Certificate Manager.
Figure 13.6. Opening Certificate Manager
13.8. Importing certificates in Thunderbird
Importing Certificate Authority (CA) files enables the email client to validate secure connections. Adding these authorities ensures Thunderbird trusts the SSL/TLS certificates presented by mail servers during data exchange.
Prerequisites
- You have a CA certificate stored on your device.
Procedure
- Open Certificate Manager.
Select the Authorities tab and click Import.
Figure 13.7. Importing the CA certificate in Thunderbird
- Select the downloaded CA certificate.
13.9. Editing certificate trust settings in Thunderbird
Modifying trust attributes controls how Thunderbird validates certificates for specific operations. Adjust these settings to explicitly authorize authorities for identifying mail servers or signing email messages.
Prerequisites
- You have successfully imported a certificate.
Procedure
- Open Certificate Manager.
- Under the Authorities tab, select the appropriate certificate and click Edit Trust.
Edit the certificate trust settings.
Figure 13.8. Editing the certificate trust settings in Thunderbird
13.10. Importing personal certificate in Thunderbird
Personal certificates enable S/MIME functionality for signing and encrypting emails. Importing these keys into the personal store allows the client to prove the sender’s identity and decrypt incoming secure messages.
Prerequisites
- You have a personal certificate stored on your device.
Procedure
- Open Certificate Manager.
Under the Your Certificates tab, click Import.
Figure 13.9. Importing a personal certificate for authentication in Thunderbird
- Import the required certificate from your computer.
- Close the Certificate Manager.
Open the main menu and select Account Settings.
Figure 13.10. Selecting Account Settings from menu
Select End-To-End Encryption in the left panel under your account email address.
Selecting End-To-End Encryption section.
- Under S/MIME section, click the first Select button to choose your personal certificate to use for signing messages.
Under S/MIME section, click the second Select button to choose your personal certificate for encrypting and decrypting messages.
Choosing certificate for signing and encryption/decryption.
NoteIf you forgot to import valid certificate, you can open Certificate Manager directly using the Manage S/MIME certificate option.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}