SSO Problem with single route

[boehlim377]

• Laravel Version: 8.83.3
• Adldap2-Laravel Version: 6.1
• PHP Version: 8.0
• LDAP Type: ActiveDirectory
• Apache Version: 2.4.53
• Apache Modul; auth_gssapi

Description:

As described in the instructions, I have activated the middleware for SSO. However, this only works if I activate authentication for the entire site in Apache. Then the queries via GraphQL to Lighthouse PHP no longer work.

So I wanted to enable authentication for only one URL e.g. /auth. But then SSO no longer works. Here is my config:

     <LocationMatch "/auth">
          AllowOverride None
          AuthType GSSAPI
          AuthName "xx.yy.zz"
          GssapiBasicAuth On
          GssapiCredStore keytab:/etc/kerberos.keytab
          GssapiLocalName On
          require valid-user
        </LocationMatch>

The WWW-Authenticate parameter is included in the response and vary starts with "Authorization".

When I read the Auth::user() value in the route mentioned, it is empty.

Does anyone have a similar constellation and can tell me whether authentication with SSO is only possible via a single route?

[stevebauman]

Hi @boehlim377,

To my knowledge, SSO is all or nothing for the entire domain.

I would recommend creating a sub-domain (i.e. sso.my-app.com) specifically for SSO users. I've seen this pattern fairly often with SSO compatible web apps. You should then be able to still use GraphQL and authenticate normally, while directing SSO users to the prefixed SSO domain.