Single Sign On

Server Requirements
Client Requirements

Cockpit can use Kerberos for Single Sign On authentication, where users are automatically authenticated if they have a valid Kerberos ticket.

Server Requirements

To authenticate users, the server that Cockpit is running on must be joined to a domain. This can usually be accomplished using the realm join example.com command.

The domain must be resolvable by DNS. For instance, the SRV records of the kerberos server should be resolvable:

$ host -t SRV  _kerberos._udp.example.com
_kerberos._udp.example.com has SRV record 0 100 88 dc.example.com

The server running Cockpit should have a fully qualified name that ends with the domain name.

There must be a valid Kerberos host key for the server in the /etc/krb5.keytab file. It may be necessary to create a kerberos service principal and update the keytab if it is not present. Depending on your domain type different service names are required:

Active Directory

HOST/server.example.com@EXAMPLE.COM

IPA and MIT

HTTP/server.example.com@EXAMPLE.COM

The following command can be used to list the /etc/krb5.keytab:

$ sudo klist -k

Lastly accounts from the domain must be resolvable to unix accounts on the server running Cockpit. For example:

$ getent passwd user@example.com
user@example.com:*:381001109:381000513:User Name:/home/user:/bin/sh

Client Requirements

The client side, where your web browser is running, should have a valid kerberos ticket in the current user session. A command like this will get one:

$ kinit user@EXAMPLE.COM
Password for user@EXAMPLE.COM:  

In addition your browser must be usually be configured to allow kerberos authentication for the domain.

Mozilla Firefox

Go to about:config and set the network.negotiate-auth.trusted-uris setting to your domain name preceded by a dot, ie: .example.com

Google Chrome

On Linux: create the file /etc/opt/chrome/policies/managed/example-com.json with the contents:

{
  "AuthServerWhitelist": "*example.com"
}

and restart the browser. On other platforms, exit your browser completely, and start it with a command line like this: google-chrome --auth-server-whitelist=*example.com

Use a fully qualified server name (with the domain name at the end) to access Cockpit in your web browser.

If you wish to connect from one server to another in Cockpit using kerberos SSO, then you have to explicitly enable this in your web browsers.

Mozilla Firefox

Go to about:config and set the network.negotiate-auth.delegation-uris setting to your domain name preceded by a dot, ie: .example.com

Google Chrome

On Linux: create the file /etc/opt/chrome/policies/managed/example-com.json with the contents:

{
  "AuthServerWhitelist": "*example.com",
  "AuthNegotiateDelegateWhitelist": "*example.com"
}

and restart the browser. On other platforms, exit your browser completely, and start it with a command line like this: google-chrome --auth-server-whitelist=*example.com --auth-negotiate-delegate-whitelist=*example.com