Install the Centrify DirectControl agent on the Unix/Linux host. This is a prerequisite for installing Centrify's Apache HTTP SSO module
Install the Centrify Apache plug-in package.
// With Debian based distribution root@sp007# tar -xzf centrify-apache-4.4.4-deb5-x86_64.tgz root@sp007# dpkg -i centrifydc-apache-4.4.4-deb5-x86_64.deb
// With Redhat based distribution root@sp007# tar -xzf centrify-apache-4.4.4-rhel3-x86_64.tgz root@sp007# rpm -Uvh centrifydc-apache-4.4.4-rhel3-x86_64.rpm
Verify Apache's version root@sp007# apache2 -v Server version: Apache/2.2.22 (Ubuntu) Server built: Mar 8 2013 15:53:14
Confirm whether the Unix/Linux is running 32 or 64 bit root@sp007# uname -m x86_64
Make sure Centrify Apache SSO module's path exist: root@sp007# ls -l /usr/share/centrifydc/apache/lib
Two key modules will be installed: - Active Directory authentication: mod_auth_centrifydc_xx - AD FS authentication: mod_adfs_centrifydc_xx Where xx is the Apache version number 20 (for 2.0), 22 (for 2.2) and 24 (for 2.4).
The sample configuration file is also version-dependent. It has the following format: centrifyxx[_64].conf Where xx indicates the Apache version. If the file name contains _64, it indicates the version to be used on platforms with a 64-bit processor.
Verify if Apache server supports dynamically loaded objects. Run command below and see if mod_so.c is listed root@sp007# apache2 -l Compiled in modules: core.c mod_log_config.c mod_logio.c mod_version.c worker.c http_core.c mod_so.c
Include centrify.conf in /etc/apache2/httpd.conf. If this file does not appear, add it to /etc/apache2/apache2 Edit the Apache server configuration file httpd.conf to include the DirectControl for Web Applications for Apache authentication module and sample applications directives.
This example is running Apache 2.2 64-bit version. Include /usr/share/centrifydc/apache/samples/conf/centrify22_64.conf
After the configuration, restart Apache root@sp007# /usr/sbin/apachectl restart
In order to test Single-Sign-On, silent authentication need to be enabled on browser:
Configuring silent authentication in Firefox
Open Firefox.
Navigate to the URL: about:config
Type neg in the Filter field.
Select and right-click to modify: network.negotiate-auth.delegation-uris Enter a comma-separated list of partner URLs or domain names as string values, then click OK. For example, enter: http://test.virtual.local,https://test.virtual.local
Note: For best security, be as restrictive as possible when specifying the list of trusted sites.
Repeat for: network.negotiate-auth.trusted-uris
Configure silent authentication in Internet Explorer
Open Internet Explorer and select Tools > Internet Options
Click the Advanced tab.
Scroll down to the Security settings.
Check the Enable Integrated Windows Authentication box.
Restart IE.
Add the Web Server to the Local Intranet Security Zone. If some users log on to Web applications using a fully-qualified path in the URL, they may need to modify the settings for the Local Intranet Security Zone in their Internet Explorer Web browser to enable silent authentication. To configure the local intranet security zone in Internet Explorer:
Open Internet Explorer and select Tools > Internet Options
Click the Security tab.
Click the Local intranet icon.
Click Sites.
Click Advanced.
Type the URL for the website to be made part of the local intranet, then click Add. Wildcards can also be used in the site address, for example: *://*.virtual.local
Try accessing Centrify's sample pages to verify the setup: http://test.virtual.local/samples