Question about Microsoft Active Directory integration with INCEPTION

[Pierre Seguret]

Dear INCEPTION team,

We are currently evaluating the best way to integrate user authentication with INCEPTION version 36.4 in our infrastructure, and we would appreciate your guidance regarding compatibility with Microsoft Active Directory.

Is it possible to authenticate users directly via LDAP or using Active Directory Federation Services (AD FS)? Or would it be necessary to configure an external Identity Provider (IdP) such as Keycloak to act as a bridge between INCEPTION and our Active Directory?

We would be grateful for any recommendations or documentation you could provide regarding supported authentication mechanisms, especially in the context of enterprise directory services.

Best regards,
Pierre SEGURET

[Richard Eckart de Castilho]

Hello Pierre,

> On 4. Jun 2025, at 17:39, Pierre Seguret <pseg...@gmail.com> wrote:
>
> Is it possible to authenticate users directly via LDAP or using Active Directory Federation Services (AD FS)? Or would it be necessary to configure an external Identity Provider (IdP) such as Keycloak to act as a bridge between INCEPTION and our Active Directory?
> We would be grateful for any recommendations or documentation you could provide regarding supported authentication mechanisms, especially in the context of enterprise directory services.

INCEpTION supports OAuth2 OIDC and SAML 2.0.

Documentation for this feature including examples of how to use it in
conjunction with Keycloak can be found in the admin guide:

https://inception-project.github.io/releases/36.4/docs/admin-guide.html#sect_security_authentication

Several users have also been able to use this information to connect INCEpTION to AD FS.

Authentication via LDAP is presently not natively supported. You could, however, set up
external pre-authentication in INCEpTION and handle LDAP authentication via a reverse proxy.

https://inception-project.github.io/releases/36.4/docs/admin-guide.html#sect_security_authentication_preauth

Personally, I find the OAuth setup to be the simplest of the three approaches.

Cheers,

-- Richard

[Pierre Seguret]

Hello Richard,

Thank you for your answer.

I have implemented Microsoft Directory authentication using Keycloak v26.2.5 and OAuth2 as described in the documentation.

I can successfully log in to INCEpTION with Firefox using an Active Directory user.

However, I am experiencing strange behaviour with Chrome and the following message is displayed in pink in the browser: ‘Login with SSO service failed. You might try logging out of your SSO service before trying to log in here again.’ The following message is also appearing in the INCEpTION logs: ‘ERROR [SYSTEM] ApplicationPageBase - anonymousUser: Login with SSO service failed. You might try logging out of your SSO service before trying to log in here again.’

Still with Chrome, when I click again on the login option called Keycloak, I am successfully logged in to the application.

Do you have any explanation or suggestions for resolving this issue?

Thank you in advance.

Best Regards,

Pierre

[Richard Eckart de Castilho]

Hi,

> On 8. Jun 2025, at 18:42, Pierre Seguret <pseg...@gmail.com> wrote:
>
> However, I am experiencing strange behaviour with Chrome and the following message is displayed in pink in the browser: ‘Login with SSO service failed. You might try logging out of your SSO service before trying to log in here again.’ The following message is also appearing in the INCEpTION logs: ‘ERROR [SYSTEM] ApplicationPageBase - anonymousUser: Login with SSO service failed. You might try logging out of your SSO service before trying to log in here again.’
> Still with Chrome, when I click again on the login option called Keycloak, I am successfully logged in to the application.
> Do you have any explanation or suggestions for resolving this issue?

It sounds like the redirect to INCEpTION does not work properly.

Are you using SAML or OAuth?

Are you using **only** Keycloak or does Keycloak delegate to yet another IdP?

-- Richard

[Pierre Seguret]

Richard,

I'm using OAuth and Keycloak delegate to Active Directory using LDAP.

Pierre

[Richard Eckart de Castilho]

Hi,

> On 8. Jun 2025, at 19:03, Pierre Seguret <pseg...@gmail.com> wrote:
>
> I'm using OAuth and Keycloak delegate to Active Directory using LDAP.

You need to make sure that AD is redirecting back to Keycloak and Keycloak is then redirecting back to INCEpTION.
If you let AD redirect directly to INCEpTION, the response ID sent from AD to INCEpTION won't be known by INCEpTION
and you get the error you are seeing.

Make sure the response chain strictly matches the request chain and hopefully it should work.

-- Richard

[Richard Eckart de Castilho]

Hi,

> On 8. Jun 2025, at 19:48, Richard Eckart de Castilho <richard...@gmail.com> wrote:
>
>> On 8. Jun 2025, at 19:03, Pierre Seguret <pseg...@gmail.com> wrote:
>>
>> I'm using OAuth and Keycloak delegate to Active Directory using LDAP.

Ah, ok, I got it now. Keycloak talks to AD using LDAP. I was mentally
stuck in another scenario that failed with the same error but was
quite different.

So in your particular scenarion: I don't know. But what helped us
debug the previously mentioned unrelated scenario was adding these
log settings to the settings.properties:

```
logging.level.org.springframework.security.oauth=TRACE
logging.level.org.springframework.security.saml2=TRACE
logging.level.de.tudarmstadt.ukp.inception.security.oauth=TRACE
logging.level.de.tudarmstadt.ukp.inception.security.saml=TRACE
```

That provided additional information about the exchange
between INCEpTION and Keycloak. Maybe you find some useful
information in those logs as well.

Cheers,

-- Richard