Difference between revisions of "Delegated Authentication"

From AgileApps Support Wiki
imported>Aeric
imported>Aeric
 
(21 intermediate revisions by the same user not shown)
Line 1: Line 1:
Single Sign-On (SSO) allows for the delegated authentication of platform Users against a corporate database. With SSO, users have a single username and password that provides access to applications which support SSO.  
With delegated authentication , you can use your own server to validate platform users against a corporate database or an LDAP Directory. You can use a single username and password to access all applications as long as the applications support delegated authentication.


Using SSO allows an organization to validate their users in their own secured environment. This means you can implement you own authentication methods (such as a database or LDAP Directory) to authenticate a user.
===Scope ===
 
Delegated authentication is limited to user authentication and does not include authorization. You must be active in the platform, and teams, roles, and other permissions must also be maintained.
===How Delegated Authentication Works===
Delegated Authentication lets you use an existing identity server to authenticate a log in request. (Typically, it will be an LDAP server) After the user is authenticated by your server, the user is logged into the platform.  


The corporate System Administrator or the IT Staff develop and implement a web service that can accept and respond to the web service calls made by the platform servers.


====Actions====
===Working with delegated authentication===
When a User logs in, the following actions take place to authenticate the user in both the platform and in your organization's systems.  
When you logon to the platform, your identity is authenticated in the platform and on your organization's systems. The following diagram shows the process:
:[[File:SSO-DA.png]]
:[[File:SSO-DA.png]]


This table describes the actions taken by the User, the platform, and your organization's web service. See [http://en.wikipedia.org/wiki/Web_service Web Service] for more information.
This table describes the actions taken by the user, the platform, and your organization's [http://en.wikipedia.org/wiki/Web_service Web Service].


:{| border="1" cellpadding="5" cellspacing="0"
:{| border="1" cellpadding="5" cellspacing="0"
!
!
!User...
!User
!Platform...
!Platform
!Your Organization's Web Service...
!Your organization's web service
|-
|-
|1. || Log into the platform || Validate that:
|1. || Log on the platform || Validate that:
:* User is Active
:* User is active
:* SSO is Enabled
:* SSO is enabled
|  
|  
|-
|-
|2. || || Make a Web Services call to the organization's Web service, requesting authorization.  
|2. || || Make a web services call to the organization's web service, requesting authorization.  
Include these parameters in the call:
Include the following parameters in the call:
:<syntaxhighlight lang="java" enclose="div">
:<syntaxhighlight lang="java" enclose="div">
username
username
Line 31: Line 30:
originatingIp
originatingIp
</syntaxhighlight>
</syntaxhighlight>
''Note:'' originatingIp is the IP address that originated the login request. This could be useful to restrict access based on the user’s location. The Web Service must be implemented in a way that the platform is able to access it.
''Note:'' originatingIp is the IP address that initiates the login request. This could be useful to restrict access based on the user's location. The web service must be implemented in a way that the platform is able to access it.
|
|
|-
|-
Line 39: Line 38:
|}
|}


===Scope ===
===Enabling delegated authentication===
 
#Click '''[[File:GearIcon.png]] > Administration > Account Management > Single Sign-On Settings'''.
SSO is limited to user authentication and does NOT include authorization. Users must be active in the platform. Teams, Roles and other permissions must also be maintained.
#Click the '''[Edit]''' button.
 
#Choose '''Delegated Authentication''' from the ''Single Sign-On Using'' drop-down list.
It is the responsibility of the corporate System Administrator/IT Staff to develop and implement a Web service that can accept and respond to the SSO web service calls made by the platform servers.
#Specify the URL of the authentication server running in your environment (abc5.abc.com:8080) in the ''SSO Gateway Url'' field.
 
#:Note that the URL and Port number must be specified using a [http://en.wikipedia.org/wiki/FQDN Fully Qualified Domain Name] or an IP address. Secure HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) protocol is used to access this URL. If you do not have this information available, contact your IT department or System Administrator.
===Enabling Delegated Authentication===
#Choose whether or not to enable SSO for individual [[User]]s.
#Click '''Settings > Administration > Single Sign-On'''
#Click the '''[Edit]''' button
#For ''Single Sign-On Settings'', choose '''Delegated Authentication'''
#Fill in the Delegated Authentication Settings:
#*Specify the URL of the authentication server running in your environment (abc5.abc.com:8080)
#:Note that the URL and Port number must be specified using a [http://en.wikipedia.org/wiki/FQDN Fully Qualified Domain Name] or an IP address. Secure HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) protocol is used to access this URL.
#:''If you do not have this information available, contact your IT department or System Administrator.''
#*Choose whether or not to Enable Single Sign-On for individual [[User]]s.
#Click '''[Save]'''
#Click '''[Save]'''


===Setting up Communications with the Authentication Server===
===Setting up communication with the authentication server===
For a successful handshake with the platform, the authentication server needs a certificate. If you are using a self-signed certificate, it needs to be loaded into the cacert keystore file in the platform's <tt>{installed_JDK}/jre/lib/security</tt> folder. Otherwise, you get an SSL error.
The authentication server needs a certificate for a successful handshake with the platform. If you are using a self-signed certificate, it needs to be loaded into the cacert keystore file in the platform's <tt>{installed_JDK}/jre/lib/security</tt> folder. Unable to load the certificate displays an SSL error.


To load the certificate into the keystore:
To load the certificate into the keystore:
# Make sure that the <tt>JAVA_HOME</tt> environment variable points to the JRE in an installed JDK.<br/>Check the configuration in these three locations:
# Check the configuration in the following three locations:
#:* <tt>installation.properties</tt>
#:* <tt>installation.properties</tt>
#:* <tt>configure.pl</tt> installation script  
#:* <tt>configure.pl</tt> installation script  
#:* <tt>scripts/longjump</tt>
#:* <tt>scripts/longjump</tt>
#: ''Learn more:'' Platform [[Installation Files]]
# Make sure that the <tt>JAVA_HOME</tt> environment variable points to the JRE in the installed JDK.
# Load the certificate using the <tt>keytool -import</tt> command/
#: For more information, see Platform [[Installation Files]].
#: The default password is "changeit".
# Load the certificate using the <tt>keytool -import</tt> command.
#: ''Learn more:'' [http://download.oracle.com/javase/tutorial/security/toolsign/rstep2.html Java Tutorial: Importing a Certificate]
#: '''Note:''' The default password is '''changeit'''.
 
For more information , see [http://download.oracle.com/javase/tutorial/security/toolsign/rstep2.html Java Tutorial: Importing a Certificate].


===Making a Web Service Call===
===Making a web service call===


Use the URL and port number provided under the ''Single Sign-On Settings'' Section to make a SOAP request to authenticate the users. SSO Request and SSO Response are predefined by the platform. These request and response are conducted via SOAP messaging.
Use the URL and port number provided under the ''Single Sign-On Settings'' section to make a SOAP request to authenticate the users. SSO Request and SSO Response are predefined by the platform. These request and response are conducted via SOAP messaging.


===Web Services Message Format===
===Web services message format===
;Request:SSO SOAP Request sent from the platform is as follows:
;Request:SSO SOAP Request sent from the platform is as follows:
:<syntaxhighlight lang="xml" enclose="div">
:<syntaxhighlight lang="xml" enclose="div">

Latest revision as of 08:58, 9 March 2017

With delegated authentication , you can use your own server to validate platform users against a corporate database or an LDAP Directory. You can use a single username and password to access all applications as long as the applications support delegated authentication.

Scope

Delegated authentication is limited to user authentication and does not include authorization. You must be active in the platform, and teams, roles, and other permissions must also be maintained.

The corporate System Administrator or the IT Staff develop and implement a web service that can accept and respond to the web service calls made by the platform servers.

Working with delegated authentication

When you logon to the platform, your identity is authenticated in the platform and on your organization's systems. The following diagram shows the process:

SSO-DA.png

This table describes the actions taken by the user, the platform, and your organization's Web Service.

User Platform Your organization's web service
1. Log on the platform Validate that:
  • User is active
  • SSO is enabled
2. Make a web services call to the organization's web service, requesting authorization.

Include the following parameters in the call:

<syntaxhighlight lang="java" enclose="div">

username password originatingIp </syntaxhighlight> Note: originatingIp is the IP address that initiates the login request. This could be useful to restrict access based on the user's location. The web service must be implemented in a way that the platform is able to access it.

3. Validate the passed information and return either "Authenticated" or "Failure".
4. On Authenticated response, generate a new User Session. On Failure, notify the user.

Enabling delegated authentication

  1. Click GearIcon.png > Administration > Account Management > Single Sign-On Settings.
  2. Click the [Edit] button.
  3. Choose Delegated Authentication from the Single Sign-On Using drop-down list.
  4. Specify the URL of the authentication server running in your environment (abc5.abc.com:8080) in the SSO Gateway Url field.
    Note that the URL and Port number must be specified using a Fully Qualified Domain Name or an IP address. Secure HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) protocol is used to access this URL. If you do not have this information available, contact your IT department or System Administrator.
  5. Choose whether or not to enable SSO for individual Users.
  6. Click [Save]

Setting up communication with the authentication server

The authentication server needs a certificate for a successful handshake with the platform. If you are using a self-signed certificate, it needs to be loaded into the cacert keystore file in the platform's {installed_JDK}/jre/lib/security folder. Unable to load the certificate displays an SSL error.

To load the certificate into the keystore:

  1. Check the configuration in the following three locations:
    • installation.properties
    • configure.pl installation script
    • scripts/longjump
  2. Make sure that the JAVA_HOME environment variable points to the JRE in the installed JDK.
    For more information, see Platform Installation Files.
  3. Load the certificate using the keytool -import command.
    Note: The default password is changeit.

For more information , see Java Tutorial: Importing a Certificate.

Making a web service call

Use the URL and port number provided under the Single Sign-On Settings section to make a SOAP request to authenticate the users. SSO Request and SSO Response are predefined by the platform. These request and response are conducted via SOAP messaging.

Web services message format

Request
SSO SOAP Request sent from the platform is as follows:
<syntaxhighlight lang="xml" enclose="div">

<?xml version="1.0" encoding="UTF-8" ?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <LJAuthenticate xmlns="urn:authentication.soap.ws.longjump.com"> <username>jim@abc.com</username> <password>sales</password> <originatingIp>1.2.3.4</originatingIp> </LJAuthenticate> </soapenv:Body> </soapenv:Envelope> </syntaxhighlight>

Response
SSO SOAP Response expected by the Platform is as follows:
<syntaxhighlight lang="xml" enclose="div">

<?xml version="1.0" encoding="UTF-8" ?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <LJAuthenticateResponse xmlns="urn:authentication.soap.ws.longjump.com"> <Status>Authenticated</Status> </LJAuthenticateResponse> </soapenv:Body> </soapenv:Envelope> </syntaxhighlight>