Difference between revisions of "Delegated Authentication"
imported>Aeric |
imported>Aeric |
||
Line 47: | Line 47: | ||
#Click '''[Save]''' | #Click '''[Save]''' | ||
===Setting up | ===Setting up communication with the authentication server=== | ||
The authentication server needs a certificate for a successful handshake with the platform. If you are using a self-signed certificate, it needs to be loaded into the cacert keystore file in the platform's <tt>{installed_JDK}/jre/lib/security</tt> folder. Unable to load the certificate displays an SSL error. | The authentication server needs a certificate for a successful handshake with the platform. If you are using a self-signed certificate, it needs to be loaded into the cacert keystore file in the platform's <tt>{installed_JDK}/jre/lib/security</tt> folder. Unable to load the certificate displays an SSL error. | ||
Revision as of 08:50, 17 February 2017
With delegated authentication, you use your own server to validate platform Users against a corporate database or an LDAP Directory. Users can then use a single username and password to access all of their applications--as long as they support delegated authentication.
Scope
Delegated Authentication is limited to user authentication and does not include authorization. Users must be active in the platform. Teams, roles, and other permissions must also be maintained.
The corporate System Administrator or the IT Staff develop and implement a web service that can accept and respond to the web service calls made by the platform servers.
How Delegated Authentication Works
When the users logon to the platform, their identity is authenticated in both the platform and in your organization's systems. The following diagram shows the process:
This table describes the actions taken by the user, the platform, and your organization's Web Service.
User Platform Your organization's web service 1. Logon the platform Validate that: - User is active
- SSO is enabled
2. Make a web services call to the organization's web service, requesting authorization. Include the following parameters in the call:
- <syntaxhighlight lang="java" enclose="div">
username password originatingIp </syntaxhighlight> Note: originatingIp is the IP address that initiates the login request. This could be useful to restrict access based on the user's location. The web service must be implemented in a way that the platform is able to access it.
3. Validate the passed information and return either "Authenticated" or "Failure". 4. On Authenticated response, generate a new User Session. On Failure, notify the user.
Enabling Delegated Authentication
- Click > Administration > Account Management > Single Sign-On Settings.
- Click the [Edit] button.
- Choose Delegated Authentication from the Single Sign-On Using drop-down list.
- Specify the URL of the authentication server running in your environment (abc5.abc.com:8080) in the SSO Gateway Url field.
- Note that the URL and Port number must be specified using a Fully Qualified Domain Name or an IP address. Secure HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) protocol is used to access this URL. If you do not have this information available, contact your IT department or System Administrator.
- Choose whether or not to enable SSO for individual Users.
- Click [Save]
Setting up communication with the authentication server
The authentication server needs a certificate for a successful handshake with the platform. If you are using a self-signed certificate, it needs to be loaded into the cacert keystore file in the platform's {installed_JDK}/jre/lib/security folder. Unable to load the certificate displays an SSL error.
To load the certificate into the keystore:
- Check the configuration in the following three locations:
- installation.properties
- configure.pl installation script
- scripts/longjump
- Make sure that the JAVA_HOME environment variable points to the JRE in the installed JDK.
- For more information, see Platform Installation Files
- Load the certificate using the keytool -import command.
- Note: The default password is changeit.
For more information , see Java Tutorial: Importing a Certificate
Making a Web Service Call
Use the URL and port number provided under the Single Sign-On Settings Section to make a SOAP request to authenticate the users. SSO Request and SSO Response are predefined by the platform. These request and response are conducted via SOAP messaging.
Web Services Message Format
- Request
- SSO SOAP Request sent from the platform is as follows:
- <syntaxhighlight lang="xml" enclose="div">
<?xml version="1.0" encoding="UTF-8" ?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <LJAuthenticate xmlns="urn:authentication.soap.ws.longjump.com"> <username>jim@abc.com</username> <password>sales</password> <originatingIp>1.2.3.4</originatingIp> </LJAuthenticate> </soapenv:Body> </soapenv:Envelope> </syntaxhighlight>
- Response
- SSO SOAP Response expected by the Platform is as follows:
- <syntaxhighlight lang="xml" enclose="div">
<?xml version="1.0" encoding="UTF-8" ?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <LJAuthenticateResponse xmlns="urn:authentication.soap.ws.longjump.com"> <Status>Authenticated</Status> </LJAuthenticateResponse> </soapenv:Body> </soapenv:Envelope> </syntaxhighlight>