Using the Authentication Type SSO it is possible to combine the advantages of the single sign on scenario using NTLM and the easy administration and maintenance of the user management database using LDAP. In order to use this authentication type it is necessary to configure Apache Tomcat, MS IIS and ISAPI Redirector to use operating system user authentication inside WebOffice 10.9 SP2.
Note: With WebOffice 10.9 SP2 backup LDAP Servers are supported. Just add a second LDAP configuration node. Connection to first defined LDAP served is tried first (top-down).
Note: Pay attention to Explicitly Supported Scenarios for https.
Note: The authentication type SSO does not use the WebOffice login dialog for authentication. AD-groups will be uses for right management and manged in the WebOffice UM Repository. A general comparison of the common authentication methods in WebOffice 10.9 SP2 can be found in chapter Overview of authentication methods.
SSO Architecture
WebOffice SSO architecture
Sequence:
1.(a, b & c) User identification: User that is logged in, is identified and checked by the LDAP server system. To use this information correctly, it is necessary that the browser has the capability to know the login information (capability is given with MS IE).
IE security settings
2.(If 1 is successful): Web server passes the user context (NTLM) by using the redirection of ISAPI redirector. This context only contains the login information but no role memberships. WebOffice 10.9 SP2 determines the role memberships of the user by accessing the LDAP Server.
3.(If 2 is successful): WebOffice 10.9 SP2 identifies the passed information (user context and role membership) because of the application configuration. Role identifiers (role names) are compared to the role identifiers of the WebOffice usermanagement rights repository (group names). If the string comparison is successful the role definition (rights and restrictions) from the rights repository are read and applied. This way, WebOffice 10.9 SP2 can assign rights to a logged in user without having any user information in the WebOffice usermanagement rights repository.
Authentication type SSO configuration
Property |
Description |
The authentication type UserManagement will be activated (yes) as a fallback if the SSO Login will fail or won't be activated as a fallback (no). Note: If SSO is used the authentication will be done for example through the Tomcat Connector (Windows Authentication). Therefore requests to WebOffice will not be redirected if the authentication fails. To use the above described function the application has to use the tomcat application directly (f.e. port 8080, IIS ARR Redirection to Tomcat). The fallback will be executed if no SSO Header will be delivered (unauthenticated Access). |
Apache Tomcat Configuration for SSO
To handle the LDAP realm inside WebOffice 10.9 SP2 the Tomcat authentication has to be set false (C:\Tomcat\conf\server.xml). Restart the Tomcat service after configuration.
Set tomcatAuthentication="false in the Server.xml
IIS Configuration for SSO
The jakarta application (created in chapter Install Apache Tomcat Connector) has to be secured by Windows Authentication so IIS forces the user to log on. Through this setting the user is authenticated to the web server by NTLM. If the IIS is inside the same domain as the client, the user credentials are automatically taken by it, which means that the user does not have to log in explicitly.
IIS authentication settings of jakarta directory
The administrator must ensure to set up a virtual directory mapping the configured WebOffice output URL to the physical path of the WebOffice output directory (C:\Tomcat\webapps\<WebOffice application>\output). It must be possible to access files in this virtual directory using anonymous http. Detailed information about the configuration of the WebOffice output URL can be found in chapter WebOffice.
Add virtual directory in IIS manager
WebOffice output URL configuration
Note: With the logging category LDAP it is possible to get an overview about the WebOffice 10.9 SP2 communication with the LDAP system for troubleshooting issues. See chapter Logging Tab for details.