The SSO ("preauth" in Spring framework terminology) configurations are located in the WEB-INF\config\context\security\preauth folder.
SmartClient will attempt to retrieve configuration settings from WebCentral using the WSDL SmartClientSsoConfigService. The SmartClientSsoConfigService returns the SSO properties usernameKey and projectIdKey. To configure these keys in WebCentral: modify the *.properties files in the /WEB-INF/config/context/security/preauth folder.
If the SmartClientSsoConfigService call fails, indicating a Web Central version prior to V20.1, the values for usernameKey and projectIdKey are taken from hard-coded constants.
Note: For an overview of the SSO authentication, see Authentication: Single Sign-On (SSO).
Note: If you are setting a value of string_format for afm_users.user_name to any other value than UPPER*, you also must change the value of the convertToUpperCase property to false in /WEB-INF/config/context/security/preauth/account-mapper.xml.
This step applies to all SSO configurations.
Modify the WEB-INF/config/security.properties file: replace values of the logoutView and timeoutView properties:
security.logoutView=schema/ab-core/views/process-navigator/logout-preauth.htm
security.timeoutView=schema/ab-core/views/process-navigator/logout-preauth.htm
This view appears if SSO users time out of their ARCHIBUS session or log out explicitly.
This setting places users on a page that notifies them that they have logged out.
The SSO configuration does not use the login page that prompts for a user ID and a password.
This configuration supports both Web Central and the Smart Client.
In this SSO configuration, sites use an authentication server, such as SiteMinder, to protect access to the Web Central server. The authentication server forwards requests from the Smart Client and the Web browser, and inserts the proper username into the request before passing it to Web Central.
Procedure:
WEB-INF/config/context/security/preauth/username-source/request-header/readme.txt.In this scenario, you configure the application server to use container-based authentication. In this configuration, Web Central gets its username from the HttpServletRequest.getRemoteUser() method.
The procedure below illustrate how to establish this type of authentication using a typical reference configuration involving IIS and Tomcat.
1. Configure Tomcat and IIS according to the instructions in Configuring Tomcat and IIS for the Remote User Configuration.
2. Configure
Web Central according to instructions in WEB-INF/config/context/security/preauth/username-source/remote-user/readme.txt.
The remote user configuration does not itself support the Smart Client. Sites that use the remote user configuration for Web Central can use the following complementary options for authenticating Smart Client users:
If you use ARCHIBUS authentication, you would set up a separate Web Central instance to support those users that require Smart Client access. If you want to use the same directory service (e.g. Active Directory) to authenticate these users, you can have Web Central authenticate these users via LDAP.
This configuration supports both Web Central and the Smart Client.
In this SSO configuration:
HttpServletRequest.getRemoteUser() method (as is usually the case if you are using IIS).Procedure:
WEB-INF/config/context/security/preauth/username-source/remote-user-request-header/readme.txt.Some sites prefer to use the certificate security option for the Smart Client workstations instead. Doing so removes potential concerns about users falsifying their authentication information using sophisticated techniques.
Sites that do use the SSO request header configuration for the Smart Client may wish to use SSL to protect the traffic to the server and alter their usernameKey per the instructions above.
| Copyright © 1984-2014, ARCHIBUS, Inc. All rights reserved. |