Single Sign-On with Kerberos

With the Kerberos authentication method you only need to authenticate once: when you log in your operating system. The same credentials will be reused across all your Denodo products. In the particular case of the Data Catalog, the browser is responsible for obtaining your credentials from the system and build a Kerberos ticket that will be used to authenticate you in the Data Catalog. The Data Catalog sends that ticket to the Kerberos authentication server, typically an Active Directory, which is the one that validates the ticket.

To configure Kerberos authentication in the Data Catalog you should proceed as follows:

  1. Configure a service account for Virtual DataPort in the Active Directory of your organization.

  2. Configure a service account for Data Catalog in the Active Directory of your organization, in case the Data Catalog and the Virtual DataPort servers are in different machines.

  3. Indicate a Kerberos realm, if it is different from the one from your domain.

  4. Configure the Kerberos authentication in the Virtual DataPort server you use to connect from the Data Catalog.

  5. Configure the Kerberos authentication in the Data Catalog server.

  6. Configure Kerberos on your browser.

Note

Since the Kerberos ticket for authentication is automatically generated by the browser, you should take into account the following considerations:

  • The Service Principal Name that identifies the Data Catalog should use HTTP as the service class. For example, HTTP/denodo-prod.subnet.acme.com@ACME.COM.

  • To access the Data Catalog, you should use the Fully Qualified Domain Name of the host, as it is defined in the Service Principal Name. For example, if the Service Principal Name of the Data Catalog is HTTP/denodo-prod.subnet.acme.com@ACME.COM, you should access the Data Catalog through the URL http://denodo-prod.subnet.acme.com:9090/denodo-data-catalog.

If there are several Virtual DataPort servers registered in the Data Catalog, you will see a login page like the one below. You only need to select the server you want to connect to in order to log in the Data Catalog.

Login page for single sign-on with Kerberos in the Data Catalog

Login page for single sign-on with Kerberos in the Data Catalog

If there is only one Virtual DataPort server registered, you will be automatically authenticated in the Data Catalog.