By Fredrik Brattstig @vitrualbrat
29 December -21
If you are familiar with IGEL OS in Microsoft Active Directory environments, you are probably aware on that it is possible to configure IGEL OS to login to Active Directory before giving the user local desktop. Eventually your users are going to start asking you why they need to login using domain credentials (or smart card), and then have to login again to open up office web applications etc.
I will tell you how to configure IGEL OS and a FireFox session to Single Sign On (SSO) against Azure-AD resources using kerberos tickets, but before we look at that, lets look at what I have:
A simplified overview of my setup, where the top left piece is a virtual network (172.16.1.0) in Azure, where I have a Windows Server 2019 hosting my on-premise Active Directory. This server also have Azure AD Connect feature installed among other, to allow for management AD <-> AzureAD configurations.
Top right is the virtual network (10.0.0.0) where I have Azure AD configured.
Those two networks are accessible from my home office (172.16.200.0) using a VPN connection.
The VPN connection gives me line-of-sight connectivity from my IGEL OS endpoints which is what matters here. And from my home office i also have a internet connection (@)
I have configured the IGEL OS Endpoint to do a Active Directory authentication of users before they get access to the IGEL OS Desktop. By doing this login, the IGEL OS endpoint will get a Kerberos Ticket Granting Ticket (TGT) at a successful login by a user. This TGT can then be used to retrieve SSO tickets to other services. I will not cover the AD and AzureAD configuration here, I will focus on what is needed on the IGEL OS endpoint, when the back-end is set up to support the wanted flow. And the flow I want to achieve is:
User logs in to IGEL OS using AD credentials -> by using Firefox to access SaaS services (web applications like Microsoft Office 365 etc) without the need of entering AzureAD credentials.
This concept could probably be applied for any Identity Provider (idP), not only for Azure AD..
First you need to configure your IGEL OS endpoint to login to active directory, this can be achieved by reading the IGEL KB article: https://kb.igel.com/igelos-11.06.210/en/active-directory-kerberos-54082844.html
Second, you will need to allow your IGEL OS Firefox session to retrieve SSO tickets from Azure, which is done by setting Sessions->Firefox Browser->Firefox Browser Global->Advanced->Custom Preferences, add a new item and configure it accordingly:
Active: Yes Mode: pref Custom Preference: network.negotiate-auth.trusted-uris Type: String Value: https://autologon.microsoftazuread-sso.com
And you will also need to specify a URL that retrieves the SSO ticket automatically. I set the startup address to be https://myapps.microsoft.com/virtualbrat.com (you should of course name your domain in the after the last / as there is no use for you to try to get SSO tickets from my domains 😀
When you completed the configurations of the IGEL OS endpoints, it’s time for your users to start logging in and enjoying the benefits of SSO to their SaaS applications.
I recorded a video to show how it looks in action, the video is in two parts, where the first part show a AD Login using username/PW authentication against AD, the second part shows the same thing, but using Smart Card login against AD.
Hope you like the video!