Skip to main content

Protecting Single-Sign-On applications

Kerberos

Secfense Broker supports Single Sign-On (SSO) applications that use Kerberos for authentication.

Since the authentication mechanism differs from standard web applications, the approach to protecting Kerberos with multi-factor authentication (MFA) also varies slightly from the standard method.

First, the administrator of the protected application needs to create the keytab file.

To configure a Kerberos-based Application Representation, start as you normally would, but enable the "Enable Kerberos support" option under Advanced options.

Upload the keytab file when prompted.

Continue configuring your application as usual, except for the learning phase.

For Kerberos-based applications, the learning phase is already completed—all that remains is to apply the result.

Once applied, your application is protected.

NTLM

Secfense Broker supports the NTLM Single Sign-On (SSO) protocol; however, it is important to note that we strongly advise upgrading, as NTLM is considered very insecure.

To enable NTLM SSO support when creating an application representation, go to the section where you would normally enable Learning Mode. Instead of switching it on, choose NTLM from the custom presets.

Continue configuring the application as you normally would. With this feature enabled, NTLM will be protected by a second factor.