All Opmantek applications releases since late 2015 have included a simple form of cross-server Single-Sign-On (which is not enabled by default). This page describes the configuration and operational characteristics of this SSO setup.
auth_sso_domain
" in /usr/local/omk/install/opCommon.nmis
; omkd_secrets
config properties.omkd_secrets
to the same value on all your nodes. For maximum security we recommend that you configure a single application secret only.To enable SSO you need to edit the configuration file /usr/local/omk/conf/opCommon.nmis
, set the 'omkd_secrets
' to your shared secret, and set the 'auth_sso_domain
' property to your desired DNS domain with an extra leading ".", like in the example below:
%hash = ( 'authentication' => { # ...other stuff 'auth_sso_domain' => '.opmantek.com', # ...lots of other stuff 'omkd' => { 'omkd_secrets' => [ 'theseareNOTthesecretsyourelookingfor', ], |
The configuration in this example instructs the authentication code component to generate an authentication/session cookie that is sharable among all nodes in or under opmantek.com
: the SSO domain property instructs the browser to submit this cookie when accessing a node within the domain, and the application secret ensures that all nodes can decode the cookie.
After setting this up you need to restart the Opmantek Daemon with sudo service omkd restart
. Under certain circumstances It may also be required to delete all your browser cookies when switching from per-node sign-on to SSO.
Please note:
test.mydomain.id.au
would work for nodes a.test.mydomain.id.au
, an.other.test.mydomain.id.au
and so on..com
or .au
will not work.log/auth.log
.Check how SSO is currently configured.
/usr/local/nmis9/admin/patch_config.pl -r /usr/local/nmis9/conf/Config.nmis auth_cookie_flavour /usr/local/nmis9/admin/patch_config.pl -r /usr/local/nmis9/conf/Config.nmis auth_sso_domain /usr/local/nmis9/admin/patch_config.pl -r /usr/local/nmis9/conf/Config.nmis auth_web_key /usr/local/nmis9/admin/patch_config.pl -r /usr/local/omk/conf/opCommon.json auth_sso_domain /usr/local/nmis9/admin/patch_config.pl -r /usr/local/omk/conf/opCommon.json omkd_secrets |
The NMIS auth_cookie_flavour should be "omk", the auth_sso_domain should match, and so should the auth_web_key and omkd_secrets (which can have a few secrets, one should match).
A quick way to configure SSO on a server, run this on all the servers in your cluster and you will get SSO working quickly.
# Some handy environment variables. SHARED_KEY=MySecretKeyIMustCreate # the domain must include a leading "." (period), so if domain is opmantek.net, then .opmantek.net SSO_DOMAIN=.opmantek.net cp /usr/local/nmis9/conf/Config.nmis /usr/local/nmis9/conf/Config.nmis.backup1 cp /usr/local/omk/conf/opCommon.json /usr/local/omk/conf/opCommon.json.backup1 /usr/local/nmis9/admin/patch_config.pl /usr/local/nmis9/conf/Config.nmis /authentication/auth_cookie_flavour=omk /usr/local/nmis9/admin/patch_config.pl /usr/local/nmis9/conf/Config.nmis /authentication/auth_sso_domain=$SSO_DOMAIN /usr/local/nmis9/admin/patch_config.pl /usr/local/nmis9/conf/Config.nmis /authentication/auth_web_key=$SHARED_KEY /usr/local/nmis9/admin/patch_config.pl /usr/local/omk/conf/opCommon.json /authentication/auth_sso_domain=$SSO_DOMAIN /usr/local/nmis9/admin/patch_config.pl /usr/local/omk/conf/opCommon.json /omkd/omkd_secrets[0]=$SHARED_KEY |