...
While Squirro ships with a web server (called nginx) that support integration with Active Directory Service, OpenLDP OpenLADP etc, NTML/Kerberos support is not directly possible.
If you require SSO via NTML/Kerberos, we recommend to that it is handled by an existing 3rd party solutions instead. This also gives your IT team full control over the process which is crucial for such an important topic.
...
Here is a graphical overview on how the authentication and authorisation works. In the next chapter we'll walk you through this step by step.
...
The external authentication service is an extendable web-service that can integrate with any 3rd party directory service, including ADS and OpenLDAP. If the your directory is a custom built solution, e.g. a SQL database or available via a custom API, please contact us. The external authentication service can easily be extended to support your solution.
The external authentication service now decides if the user is allowed to access the system and if so, what group membership memberships are granted to the user for this session. See step 6 Phase 2 below.
...
Based on the HTTP/S headers injected by the security appliance the external authentication service connects to the directory service to validate that the users exists and retrieves additional data, e.g. group memberships and roles.
This step is fully optional, if the security appliance provides already all information needed via the HTTP/S headers, this step can be skipped.
6 Phase 2 - Squirro External Authentication Service
...
If not, the user is denied access.
If yes, the external authentication service instructs the users service to create / update the required user and which group memberships to grant to the user for this session.
...
Further requests with this session will pass the security appliance as well as the Squirro frontend / user services. The external authentication service will not be consulted for each request, until only once the squirro Squirro session expires, the entire workflow repeats. Session expiration time can be configured, defaults to 60 minutes.
At this stage we've successfully authenticated and authorised the users without the need to log in manually (SSO).
Based on the group memberships granted temporarily by the directory service / external authentication service, the user will now have access to the projects with the roles granted by the groups.
...
In the above example, user joe will now only see matching documents that have a group facet that contains the value of partners or that have a users facet that contains his user id.
As a result every user only sees those documents which she/he is entitled to.
...