Configuring the SSO Authentication

The SSO ("preauth" in Spring framework terminology) configurations are located in the WEB-INF\config\context\security\preauth folder.

SmartClient will attempt to retrieve configuration settings from WebCentral using the WSDL SmartClientSsoConfigService. The SmartClientSsoConfigService returns the SSO properties usernameKey and projectIdKey. To configure these keys in WebCentral: modify the *.properties files in the /WEB-INF/config/context/security/preauth folder.

If the SmartClientSsoConfigService call fails, indicating a WebCentral version prior to 20.1, the values for usernameKey and projectIdKey are taken from hardcoded constants.

Note: For an overview of the SSO authentication, see Authentication: Single Sign-On (SSO).

Note: If you are setting a value of string_format for afm_users.user_name to any other value than UPPER*, you also must change the value of the convertToUpperCase property to false in /WEB-INF/config/context/security/preauth/account-mapper.xml.

The Logout Page

This step applies to all SSO configurations.

Modify the WEB-INF/config/security.properties file: replace values of the logoutView and timeoutView properties:

security.logoutView=ab-core/views/process-navigator/logout-preauth.htm
security.timeoutView=ab-core/views/process-navigator/logout-preauth.htm

This view appears if SSO users time out of their ARCHIBUS session or log out explicitly.

This setting places users on a page that notifies them that they have logged out.

The SSO configuration does not use the login page that prompts for a user ID and a password.

Request Header Configuration

This configuration supports both Web Central and the Smart Client.

In this SSO configuration, sites use an authentication server, such as SiteMinder, to protect access to the Web Central server. The authentication server forwards requests from the Smart Client and the Web browser, and inserts the proper username into the request before passing it to Web Central.

Procedure:

Configure Web Central according to the instructions in WEB-INF/config/security/preauth/username-source/request-header/readme.txt.

Remote User Configuration

In this scenario, you configure the application server to use container-based authentication. In this configuration, Web Central gets its username from the HttpServletRequest.getRemoteUser() method.

The procedure below illustrate how to establish this type of authentication using a typical reference configuration involving IIS and Tomcat.

1. Configure Tomcat and IIS according to the instructions in Configuring Tomcat and IIS for the Remote User Configuration.

2. Configure Web Central according to instructions in WEB-INF/config/context/security/preauth/username-source/remote-user/readme.txt.

The remote user configuration does not itself support the Smart Client. Sites that use the remote user configuration for Web Central can use the following complementary options for authenticating Smart Client users:

authenticate Smart Client users against a reverse-proxy server using either client-certificates or form-based authentication
use request header authentication for the Smart Client (by using the instructions below).
use ARCHIBUS authentication for the Smart Client workstations

If you use ARCHIBUS authentication, you would set up a separate Web Central instance to support those users that require Smart Client access. If you want to use the same directory service (e.g. Active Directory) to authenticate these users, you can have Web Central authenticate these users via LDAP.

Remote User + Request Header for Smart Client Configuration

This configuration supports both Web Central and the Smart Client.

In this SSO configuration:

Web Central gets its username from the from HttpServletRequest.getRemoteUser() method (as is usually the case if you are using IIS).
The Smart Client uses request header authentication; that is, it automatically inserts the username into the header of the HTTP request, when sending request to Web Central.

Procedure:

Configure Tomcat and IIS according to instructions in Configuring Tomcat and IIS for the Remote User Configuration.
Configure Web Central according to instructions in WEB-INF/config/security/preauth/username-source/remote-user-request-header/readme.txt.

Some sites prefer to use the certificate security option for the Smart Client workstations instead. Doing so removes potential concerns about users falsifying their authentication information using sophisticated techniques.

Sites that do use the SSO request header configuration for the Smart Client may wish to use SSL to protect the traffic to the server and alter their usernameKey per the instructions above.

Request Parameter Configuration

This configuration supports both Web Central and the Smart Client.

In this SSO configuration:

The Web browser making requests to Web Central supplies the username using the POST method.
The Smart Client making requests to Web Central gets the username from the Windows operating system and supplies the username using the POST method.

Procedure:

Configure Web Central according to instructions in WEB-INF/config/context/security/preauth/username-source/request-parameter/readme.txt.

Sites that do use the SSO request parameter configuration for the Smart Client may wish to use SSL to protect the traffic to the server.

Parameterizing SSO Request Parameters in Smart Client

The following parameters are used in SSO configurations:

USERNAME_KEY=”username”
PROJECT_ID_KEY=”projectId”
REFERER_KEY = “referer”

The USERNAME_KEY and PROJECT_ID_KEY are configurable in Web Central: the administrator modifies *.properties files in /WEB-INF/config/context/security/preauth folder.

The REFERER_KEY is not configurable. It is hard-coded in Smart Client since it is determined by the HTTP standard and can not be changed.

If the user has Web Central, Smart Client will be configured automatically; otherwise, the values will come from the hard-coded constants.