Authentication Type SSO

Using the Authentication Type SSO it is possible to combine the advantages of the single sign on scenario using NTLM and the easy administration and maintenance of the user management database using LDAP. In order to use this authentication type it is necessary to configure Apache Tomcat, MS IIS and ISAPI Redirector to use operating system user authentication inside WebOffice 10.9 R4.

 

icon_comment

With WebOffice 10.9 R4 backup LDAP Servers are supported. Just add a second LDAP configuration node. Connection to first defined LDAP served is tried first (top-down).

Pay attention to Explicitly Supported Scenarios for https.

The authentication type SSO does not use the WebOffice login dialog for authentication. AD-groups will be uses for right management and manged in the WebOffice UM Repository.

icon_cross-reference

A general comparison of the common authentication methods in WebOffice 10.9 R4 can be found in chapter Overview of authentication methods.

SSO Architecture

 

WebOffice SSO architecture

WebOffice SSO architecture

 

Sequence:

1.(a, b & c) User identification: User that is logged in, is identified and checked by the LDAP server system. To use this information correctly, it is necessary that the browser has the capability to know the login information (capability is given with MS IE).

 

IE security settings

IE security settings

 

2.(If 1 is successful): Web server passes the user context (NTLM) by using the redirection of ISAPI redirector. This context only contains the login information but no role memberships. WebOffice 10.9 R4 determines the role memberships of the user by accessing the LDAP Server.

3.(If 2 is successful): WebOffice 10.9 R4 identifies the passed information (user context and role membership) because of the application configuration. Role identifiers (role names) are compared to the role identifiers of the WebOffice usermanagement rights repository (group names). If the string comparison is successful the role definition (rights and restrictions) from the rights repository are read and applied. This way, WebOffice 10.9 R4 can assign rights to a logged in user without having any user information in the WebOffice usermanagement rights repository.

 

Authentication type SSO configuration

Authentication type SSO configuration

 

Property

Description

Use fallback authentication type UM-DB

The authentication type user management will be activated (true) as a fallback if the SSO Login will fail or won't be activated as a fallback (false).

icon_comment

If SSO is used the authentication will be done for example through the Tomcat Connector (Windows Authentication). Therefore requests to WebOffice will not be redirected if the authentication fails. To use the above described function the application has to use the tomcat application directly (f.e. port 8080, IIS ARR Redirection to Tomcat). The fallback will be executed if no SSO Header will be delivered (unauthenticated Access).

Use both the SSO (AD) groups and UM-DB groups

Use not only the groups from the SSO system (for example Microsoft Active Directory) but the groups configured in the user management database too. Useful for group authorisation for projects in which an authenticated AD user is not a member of the authorised AD group.

icon_cross-reference

See chapter Groups for creating a new group in the user management database.

See chapter Users to create a new user in the user management database. This must be an existing user from the Active Directory.

icon_comment

The syntax of the login must be identical / uniform between Active Directory and user management database - this also applies to the domain.

With the exception of the additional groups from the UM-DB, all user information is obtained exclusively from the Active Directory.

Apache Tomcat Configuration for SSO

To handle the LDAP realm inside WebOffice 10.9 R4 the Tomcat authentication has to be set false (C:\Tomcat\conf\server.xml). Restart the Tomcat service after configuration.

 

Set tomcatAuthentication="false" in the Server.xml

Set tomcatAuthentication="false" in the Server.xml

IIS Configuration for SSO

The jakarta application (created in chapter Install Apache Tomcat Connector) has to be secured by Windows Authentication so IIS forces the user to log on. Through this setting the user is authenticated to the web server by NTLM. If the IIS is inside the same domain as the client, the user credentials are automatically taken by it, which means that the user does not have to log in explicitly.

 

Open the Internet Information Services (IIS) Manager and switch to the Apache Tomcat Connector application in the Jakarta node. Open Authentication and set the following settings:

Anonymous Authentication: Disabled

Windows Authentication: Enabled

Then restart the IIS service.

 

IIS authentication settings of jakarta directory

IIS authentication settings of jakarta directory

 

The administrator must ensure to set up a virtual directory mapping the configured WebOffice output URL to the physical path of the WebOffice output directory (C:\Tomcat\webapps\<WebOffice application>\output). It must be possible to access files in this virtual directory using anonymous http.

 

icon_cross-reference

Detailed information about the configuration of the WebOffice output URL can be found in chapter WebOffice.

 

Add virtual directory in IIS manager

Add virtual directory in IIS manager

 

WebOffice output URL configuration

WebOffice output URL configuration

 

Finally, the Groups musst be configured in UserManagement Admin Web.

In order to use the Active Directory groups in WebOffice 10.9 R4, the groups in the WebOffice usermanagement database must be identically named (case sensitive). No users need to be members of the groups. All Active Directory user groups can be used, even the domain user group. So-called Nested Groups are not supported.

 

icon_cross-reference

For more details on reading attributes from an Active Directory, see chapter Readout Attributes from MS AD.

With the logging category LDAP it is possible to get an overview about the WebOffice 10.9 R4 communication with the LDAP system for troubleshooting issues. See chapter Logging Tab for details.