Authentication Use Case: Single Sign-On (SSO)

In this scenario, the site uses an external authentication server to manage passwords.  All Web Central requests are routed to this external single sign-on server for authentication.

For information on configuring this use case, see Configuring the SSO Authentication Use Case.

The Essential SSO Sequence

The sequence is as follows:

1. The Web Server/Application Server receives a request for the Web Central resource.
2. The SSO server authenticates the user.
3. The Web Server/Application Server inserts the SSO Username into the request header, and forwards the request to Web Central. For example, the IIS filter gets Username for the remote user, and inserts this value as the remote user value so that in Tomcat HttpServletRequest.getRemoteUser() will return the Username.
4. The security service loads the UserAccount object from a record in afm_users table for a given Username.
5. The security service uses the UserAccount properties (security groups and VPAs) for the authorization.

Project ID Options

Option: projectID (such as the project name in afm-projects.xml) can be specified in the request header or in the property file. The specified project will be used as context.

Retrieving the Username from the Request

The Security service gets the Username from the request. It can do so:

• from the request header
• from a cookie
• from HttpServletRequest.getRemoteUser() call (strip prefix before \, e.g.  boston\tydykov).

Mapping SSO Users to ARCHIBUS Users

The use cases for mapping SSO users to ARCHIBUS user accounts within the security service (SS) are these:

• SSO Username is used as SS Username (one-to-one).
• All SSO Usernames are mapped to single SS Username (many-to-one).

Note: The configurations for the following use cases are not shipped; they require some customization.

• SSO Usernames are mapped to SS Usernames (one-to-one). The site would need to implement synchronization (one-way) of LDAP usernames with afm_users usernames

• SSO Usernames are mapped to SS Usernames (one-to-one). If there is no matching SS Username, use Guest Username.
  • The mapping can happen in the Web Server/Application Server, or in the SS.
  • Example of the mapping in Web Server/Application Server: IIS filter gets Username for remote user, calls LDAP server with SSO Username and password, LDAP server authenticates the SSO user credentials, and returns the SS Username for the given SSO Username.
  • IIS filter inserts the SS Username as remote user value into the request header.
  • Example of the mapping in SS: SS gets SSO Username from the request, calls LDAP server with SSO Username and password, LDAP server authenticates the SSO user credentials, and returns the SS Username for the given SSO Username.