Optional configuration

Owned by Lars Olav Velle (Unlicensed)
Last updated: May 27, 2020
3 min read

Overview

After finishing the Polar SSO Kerberos setup, some additional options may be configured to best fit your environment. This article describes these features.

Temporarily disable Kerberos

It may some times be useful to disable Kerberos globally without the need to remove any configuration.  When disabling Kerberos, all functionality remains the same except for authenticating users. You may continue to configure and test Polar SSO even when Kerberos is disabled.

Supported browsers

All defined browsers are by default challenged to authenticate the user using Kerberos when a user would otherwise be asked to log in using username/password. 

If clients are not configured or fails to acquire a kerberos ticket, the browser may fall back to NTLM and users may see a username / password popup instead. To avoid this, it is useful to select only the browsers which are configured and supported by your organization. 

Custom user agents that should be offered Kerberos can also be added. For example adding curl/ to other agents will allow you to use curl --negotiate.

Network zones

Kerberos may be enabled or disabled based on network zones. Only users from enabled network zones are offered to log in using Kerberos. By default Kerberos is enabled for any zone. 

Kerberos for REST

Kerberos may be enabled for REST resources. Enabling Kerberos for REST removes the need for passwords in clear text such as when running curl requests. In the following example we allow GET requests to /api/2/issue/ from the RND network zone.

Public pages

Some URLs in the Atlassian stack, such as /issues/ in Jira or a Confluence public space can be viewed anonymously. If a user accesses an anonymously accessible URL directly, Jira/Confluence does not redirect the user to log in, and the user has to click "Log in" manually. With Kerberos enabled for public pages, users are automatically logged in also on public pages without having to manually click 'Log in'.

Kerberos for Git clients

Bitbucket admins can optionally enable Kerberos for Git. When enabled, users can then clone from Bitbucket repositories without having to type username/ password.

The Bitbucket clone UI will then show an additional option to clone using Kerberos.

Learn more