Difference between revisions of "Delegated Authentication"
imported>Aeric |
imported>Aeric |
||
Line 51: | Line 51: | ||
#::*''If you do not have this information available, contact your IT department or System Administrator.'' | #::*''If you do not have this information available, contact your IT department or System Administrator.'' | ||
#Click '''[Save]''' | #Click '''[Save]''' | ||
===Setting up Communications with the Authentication Server=== | |||
For a successful handshake with the platform, the authentication server needs a certificate. If you are using a self-signed certificate, it needs to be loaded into the cacert keystore file in the platform's <tt>{installed_JDK}/jre/lib/security</tt> folder. Otherwise, you get an SSL error. | |||
To load the certificate into the keystore: | |||
# Make sure that the <tt>JAVA_HOME</tt> environment variable points to the installed JDK.<br/>Check the configuration in these three locations: | |||
#* <tt>installation.properties</tt> | |||
#* <tt>configure.pl</tt> | |||
#* <tt>scripts/longjump</tt> (script) | |||
# Load the certificate: | |||
#* {{TBD|} | |||
#: ''Note:'' The default password is "changeit". | |||
===Making a Web Service Call=== | ===Making a Web Service Call=== |
Revision as of 22:36, 18 August 2011
Single Sign-On (SSO) allows for the delegated authentication of platform Users against a corporate database. With SSO, users have a single username and password that provides access to applications which support SSO.
Using SSO allows an organization to validate their users in their own secured environment. This means you can implement you own authentication methods (such as a database or LDAP Directory) to authenticate a user.
How it Works
After a user is validated against the customer’s environment, the user is logged into the platform.
Scope
SSO is limited to user authentication and does NOT include authorization. Users must be active in the platform. Teams, Roles and other permissions must also be maintained.
It is the responsibility of the corporate System Administrator/IT Staff to develop and implement a Web service that can accept and respond to the SSO web service calls made by the platform servers.
Actions
When a User logs in, the following actions take place to authenticate the user in both the platform and in your organization's systems. This table lists the actions taken by the User, the platform and your organization's web service. See Web Service for more information.
User... Platform... Your Organization's Web Service... 1. Log into the platform Validate that: - User is Active
- SSO is Enabled
2. Make a Web Services call to the organization's Web service, requesting authorization. Include these parameters in the call:
- <syntaxhighlight lang="java" enclose="div">
username password originatingIp </syntaxhighlight> Note: originatingIp is the IP address that originated the login request. This could be useful to restrict access based on the user’s location. The Web Service must be implemented in a way that the platform is able to access it.
3. Validate the passed information and return either "Authenticated" or "Failure". 4. On Authenticated response, generate a new User Session. On Failure, notify the user.
Enabling Delegated Authentication
- Click Settings > Administration > Single Sign-On
- Click the [Edit] button
- For Single Sign-On Settings, choose Delegated Authentication
- Fill in the Delegated Authentication Settings:
- Specify the URL of the authentication server running in your environment (abc5.abc.com:8080)
- Note that the URL and Port number must be specified using a Fully Qualified Domain Name or an IP address. Secure HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) protocol is used to access this URL.
- If you do not have this information available, contact your IT department or System Administrator.
- Click [Save]
Setting up Communications with the Authentication Server
For a successful handshake with the platform, the authentication server needs a certificate. If you are using a self-signed certificate, it needs to be loaded into the cacert keystore file in the platform's {installed_JDK}/jre/lib/security folder. Otherwise, you get an SSL error.
To load the certificate into the keystore:
- Make sure that the JAVA_HOME environment variable points to the installed JDK.
Check the configuration in these three locations:- installation.properties
- configure.pl
- scripts/longjump (script)
- Load the certificate:
- {{TBD|}
- Note: The default password is "changeit".
Making a Web Service Call
Use the URL and port number provided under the Single Sign-On Settings Section to make a SOAP request to authenticate the users. SSO Request and SSO Response are predefined by the platform. These request and response are conducted via SOAP messaging.
Web Services Message Format
- Request
- SSO SOAP Request sent from the platform is as follows:
- <syntaxhighlight lang="xml" enclose="div">
<?xml version="1.0" encoding="UTF-8" ?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <LJAuthenticate xmlns="urn:authentication.soap.ws.longjump.com"> <username>jim@abc.com</username> <password>sales</password> <originatingIp>1.2.3.4</originatingIp> </LJAuthenticate> </soapenv:Body> </soapenv:Envelope> </syntaxhighlight>
- Response
- SSO SOAP Response expected by the Platform is as follows:
- <syntaxhighlight lang="xml" enclose="div">
<?xml version="1.0" encoding="UTF-8" ?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <LJAuthenticateResponse xmlns="urn:authentication.soap.ws.longjump.com"> <Status>Authenticated</Status> </LJAuthenticateResponse> </soapenv:Body> </soapenv:Envelope> </syntaxhighlight>