Configuring Viewpoint > Configuring security in Viewpoint > Integrating with Single-Sign-On (SSO) authentication schemes

2.4.3 Integrating with Single-Sign-On (SSO) authentication schemes

AJP (Apache Jserv Protocol) sets up an Apache server. SSO accesses the Apache server through Port 80, and the Apache server proxies messages to the Viewpoint server through Port 8000 (the only way that Viewpoint may be accessed). SSO inspects requests as they come in. If the user is authenticated, it sends authorization information (groups, username, email, etc.) to Apache for normal routing, which then passes the information to the Viewpoint server. If the user is not authenticated, it redirects to the SSO login.

You can configure a parameter list and DN (distinguished name) parameter list to specify which information Viewpoint gathers during authentication. The parameter list takes the group name and applies the HttpHeaderPrincipal, granting access to certain permissions. The DN parameter list applies LdapGroupPrincipals to users as they sign in.

Single Sign-On authentication provides more login flexibility and more responsiveness than Tomcat.

To integrate with Single-Sign-On (SSO) Authentication Schemes

  1. Open the core.xml file located in the Viewpoint home directory. Locate the <login-module> element.
  2. Verify that the <login-module> class attribute is "com.cri.security.server.modules.HttpRequestLoginModule" and the flag attribute is "optional".
    3. <login-module class="com.cri.security.server.modules.HttpRequestLoginModule" flag="optional">
  3. Configure the parameter list to specify how to assign the HttpHeaderPrincipal to users. To do so, set the <option> child element within <login-module>. Give the name attribute a value of "parameter-list". Set it to the desired parameter.
    4. <option name="parameter-list">group</option>

    When Bob authenticates with the group name of admins, the principal of admins is applied with the HttpHeaderPrincipal and Bob is given associated permissions.

    More than one parameter may be specified using a comma-separated list with or without spaces.

    <option name="parameter-list">group,username</option>

  4. Configure the DN (Distinguished Name) parameter list to attach LdapGroupPrincipals to each group name to which the user belongs.
    5. <option name="dn-parameter-list">dn</option>

    When the following parameters are received:

    Dn:"cn=bob,ou=admins,ou=uiteam,dc=example,dc=com"

    LdapGroupPrincipals of "admins" and "uiteam" are applied.

    Each instance of ou= refers to a group that will assign LdapGroupPrincipals.

Related topics 

 

© 2012 Adaptive Computing