Authentication Type SSO
Using the Authentication Type SSO it is possible to combine the advantages of the single sign on scenario using NTLM and the easy administration and maintenance of the user management database using LDAP. In order to use this authentication type it is necessary to configure Apache Tomcat, MS IIS and ISAPI Redirector to use operating system user authentication inside WebOffice 10.9 R4.
•With WebOffice 10.9 R4 backup LDAP Servers are supported. Just add a second LDAP configuration node. Connection to first defined LDAP served is tried first (top-down). •Pay attention to Explicitly Supported Scenarios for https. •The authentication type SSO does not use the WebOffice login dialog for authentication. AD-groups will be uses for right management and manged in the WebOffice UM Repository. |
A general comparison of the common authentication methods in WebOffice 10.9 R4 can be found in chapter Overview of authentication methods. |
SSO Architecture
WebOffice SSO architecture
Sequence:
1.(a, b & c) User identification: User that is logged in, is identified and checked by the LDAP server system. To use this information correctly, it is necessary that the browser has the capability to know the login information (capability is given with MS IE).
IE security settings
2.(If 1 is successful): Web server passes the user context (NTLM) by using the redirection of ISAPI redirector. This context only contains the login information but no role memberships. WebOffice 10.9 R4 determines the role memberships of the user by accessing the LDAP Server.
3.(If 2 is successful): WebOffice 10.9 R4 identifies the passed information (user context and role membership) because of the application configuration. Role identifiers (role names) are compared to the role identifiers of the WebOffice usermanagement rights repository (group names). If the string comparison is successful the role definition (rights and restrictions) from the rights repository are read and applied. This way, WebOffice 10.9 R4 can assign rights to a logged in user without having any user information in the WebOffice usermanagement rights repository.
Authentication type SSO configuration
Property |
Description |
||||
---|---|---|---|---|---|
The authentication type user management will be activated (true) as a fallback if the SSO Login will fail or won't be activated as a fallback (false).
|
|||||
Use not only the groups from the SSO system (for example Microsoft Active Directory) but the groups configured in the user management database too. Useful for group authorisation for projects in which an authenticated AD user is not a member of the authorised AD group.
|
Apache Tomcat Configuration for SSO
To handle the LDAP realm inside WebOffice 10.9 R4 the Tomcat authentication has to be set false (C:\Tomcat\conf\server.xml). Restart the Tomcat service after configuration.
Set tomcatAuthentication="false" in the Server.xml
IIS Configuration for SSO
The jakarta application (created in chapter Install Apache Tomcat Connector) has to be secured by Windows Authentication so IIS forces the user to log on. Through this setting the user is authenticated to the web server by NTLM. If the IIS is inside the same domain as the client, the user credentials are automatically taken by it, which means that the user does not have to log in explicitly.
Open the Internet Information Services (IIS) Manager and switch to the Apache Tomcat Connector application in the Jakarta node. Open Authentication and set the following settings:
•Anonymous Authentication: Disabled
•Windows Authentication: Enabled
Then restart the IIS service.
IIS authentication settings of jakarta directory
The administrator must ensure to set up a virtual directory mapping the configured WebOffice output URL to the physical path of the WebOffice output directory (C:\Tomcat\webapps\<WebOffice application>\output). It must be possible to access files in this virtual directory using anonymous http.
Detailed information about the configuration of the WebOffice output URL can be found in chapter WebOffice. |
Add virtual directory in IIS manager
WebOffice output URL configuration
Finally, the Groups musst be configured in UserManagement Admin Web.
In order to use the Active Directory groups in WebOffice 10.9 R4, the groups in the WebOffice usermanagement database must be identically named (case sensitive). No users need to be members of the groups. All Active Directory user groups can be used, even the domain user group. So-called Nested Groups are not supported.
For more details on reading attributes from an Active Directory, see chapter Readout Attributes from MS AD. With the logging category LDAP it is possible to get an overview about the WebOffice 10.9 R4 communication with the LDAP system for troubleshooting issues. See chapter Logging Tab for details. |