Cosign SPNEGO

Informatics has added SPNEGO support to web servers which use the Cosign service. This means that Informatics users using compatible browsers - currently Firefox and Chrome on all platforms and Safari on MacOS to a limited degree (†) - can authenticate to such web services using their existing Kerberos credentials, and without being prompted for their username and password.

(† Safari does support SPNEGO, but unfortunately doesn't support ticket delegation, so it doesn't yet provide a complete solution: some Informatics websites require ticket delegation in order to function correctly. See the Safari section for details of a workaround.)

On DICE, Firefox has been configured system-wide to enable SPNEGO when connecting to Informatics websites. For DICE users, SPNEGO 'just works'. However, if you are using a self-managed machine, you will need to make the corresponding configuration changes yourself in order to enable SPNEGO. These are explained below.

Note that, before being able to take advantage of the SPNEGO single-sign-on functionality, you will need to configure and use Kerberos on your self-managed machine.

Firefox configuration

For Firefox to automatically use SPNEGO to authenticate users, two (three for Windows users) configuration attributes need to be set. Type about:config into the Firefox URL bar. Then type "nego" in the "Filter" field, to reduce the number of configuration options shown. Set the following attributes:

network.negotiate-auth.delegation-uris  https://weblogin.inf.ed.ac.uk
network.negotiate-auth.trusted-uris     https://weblogin.inf.ed.ac.uk

The purpose of setting these two attributes is to 'whitelist' the server https://weblogin.inf.ed.ac.uk, so that Firefox accepts it as a partner with which to attempt mutual authentication via Kerberos; and also accepts it (once authenticated) to be a suitable partner with whom Kerberos ticket delegation can be trusted.

Note: there is no trailing slash on URIs. Multiple URIs should be separated with commas.

Firefox on Windows

For Windows users (only), type "sspi" in the "Filter" field and set the following attribute:

network.auth.use-sspi false

Google Chrome

Google Chrome can also automatically use SPNEGO, by starting it with arguments like this:

/path/to/chrome --auth-server-whitelist="weblogin.inf.ed.ac.uk"
  --auth-negotiate-delegate-whitelist="weblogin.inf.ed.ac.uk"

For Linux you can set an alias for chrome in your shell (e.g. bash) so that it is always launched with these arguments. Alternatively, if you have root access you can create a new json file inside the directory /etc/opt/chrome/policies/managed (e.g. informatics-cosign.json) which contains the following:

/* Chrome policy configuration file to add SPNEGO support for Informatics Cosign service */

{
    "AuthServerWhitelist" : "weblogin.inf.ed.ac.uk",
    "AuthNegotiateDelegateWhitelist" : "weblogin.inf.ed.ac.uk",
}

On Windows you can create a shortcut containing the arguments as specified above, and use this shortcut to launch the browser. In order to open links which require authentication, you will either need to have a browser open, using this shortcut, already.

On a Mac you can set these as user defaults with the following commands:

defaults write com.google.Chrome AuthServerWhitelist weblogin.inf.ed.ac.uk
defaults write com.google.Chrome AuthNegotiateDelegateWhitelist weblogin.inf.ed.ac.uk

Safari (on Mac) configuration

Remember that Safari doesn't support ticket delegation so it will not work on certain Informatics websites. For this reason SPNEGO is not normally enabled on Safari. However, if you've enabled Kerberos on your Mac and would like to avoid typing your password into weblogin, you can use the workaround of changing your user agent. For this you'll need to enable the Develop menu:

1. In Safari, open the Preferences dialog (in the "Safari → Preferences" menu)
2. Select the "Advanced" tab from the dialog
3. Check the box marked, "Show Develop menu in menu bar".

Having done this, if you have a valid Kerberos ticket, each time you're presented with the weblogin login page you simply need to select the user-agent of a compatible browser from the Develop menu, for example:

"Develop → User Agent → Firefox — Mac".

Selecting this will automatically refresh the page and log you in. It's a good idea to return this value to "Default (automatically chosen)" once you're done.

Other Browsers / Scripts

DICE provides an experimental, locally-maintained python library cosignego and its user-facing tools authGET and authHTTP for use in scripting. This works similarly to curl but permits retrieval of Cosign-protected pages from scripts transparently, making use of your kerberos ticket and SPNEGO authentication to avoid re-entering credentials.

Information on its availability and use is described on the CosigNego wiki page. We would be happy to assist with and discuss its use but please note that this is not a fully-supported service.