Single Sign On (SSO) Issue

Similar Messages

• Single Sign-On (SSO) in Web Server 7.0u5

  Hello,
  I am in the process of trying to configure single sign-on (SSO) between several apps in the same SJWS 7.0u5 virtual server, and I'm not having much luck. This appears to be very similar to the problem reported in another thread (http://forums.sun.com/thread.jspa?forumID=759&threadID=5281564) that applied to 7.0u2.
  I found one interesting detail that the previous post did not mention, however, and I think it is key to resolving this issue.
  I've been using the SSO feature of WS7 since day one, and up to this point is has worked flawlessly. However, I am in the process of adding a new webapp that differs from the prior webapps in one significant way: it uses form-based login, and all the previous webapps used basic authentication.
  Using the "Live HTTP Headers" Firefox add-on I captured the cookie exchanges between the client and server, and this is what I see:
  1. Logging in to any of the apps that use basic authentication results in both the JSESSIONID for the current webapp and the JSESSIONIDSSO for the entire server to be returned in the response.
  2. If I then go to a secured URI in the new (form login) webapp the JSESSIONIDSSO cookie is sent, but I still land on the login page.
  3. When completing the login form and submitting it, no JSESSIONIDSSO is returned.
  In both types of apps, my web.xml includes the appropriate configuration. FORM authentication:  <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>ldap</realm-name>
      <form-login-config>
        <form-login-page>/login.jsf</form-login-page>
        <form-error-page>/error.jsf</form-error-page>
      </form-login-config>
    </login-config>...and BASIC authentication:  <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>ldap</realm-name>
    </login-config>From this, it appears as though the SSO functionality is not working when using FORM authentication, only when using BASIC authentication.
  The web apps developer's guide specifically says that SSO works for all webapps in the same virtual server with the same realm-name, which is certainly the case for me. It doesn't say that SSO is not supported in FORM-authenticated webapps, but that would appear to be the case.
  Or is this a bug?
  Or am I simply doing something obviously wrong?
  Thanks!
  Bill

  In addition, I set the logging level to "fine", and I see these entries for the FORM authentication:
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Process request for '/testSso/'
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:  Checking for SSO cookie
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:  SSO cookie is not present
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Security checking request GET /testSso/
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:   Matched constraint 'SecurityConstraint[secureURIs]' against GET /index.jsp
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:   Matched constraint 'SecurityConstraint[secureURIs]' against GET /index.jsp
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:  Calling hasUserDataPermission()
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:   User data constraint has no restrictions
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:  Calling authenticate()
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Restore request from session '19FFE2F63CF4E8756C19B60AC6F7A65E'
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Authenticated 'testUser' with type 'FORM'
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Registering sso id '2698AFCE8889EF9877778386855517BC' for user 'testUser in realm ldap' with auth type 'FORM'
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Associate sso id 2698AFCE8889EF9877778386855517BC with session StandardSession[19FFE2F63CF4E8756C19B60AC6F7A65E]
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Proceed to restored request
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:  Calling accessControl()
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:   Checking roles testUser
  [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:  Successfully passed all security constraintsThat seems to indicate that an SSO ID is created and a cookie should be sent with the response, but as show in the Live HTTP Headers output, that is not the case.
  The log entries for the BASIC authentication are as follows:
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Process request for '/ppc/'
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:  Checking for SSO cookie
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Security checking request GET /ppc/
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:   Matched constraint 'SecurityConstraint[ppc]' against GET /index.jsp
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:   Matched constraint 'SecurityConstraint[ppc]' against GET /index.jsp
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:  Calling hasUserDataPermission()
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:   User data constraint has no restrictions
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:  Calling authenticate()
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Logging in user [testUser] into realm: ldap using JAAS module: ldapRealm
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Password login succeeded for : testUser
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Authenticated 'testUser' with type 'BASIC'
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Registering sso id 'A58B93F0A00C619AF18F53C2F7C00D16' for user 'testUser in realm ldap' with auth type 'BASIC'
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Associate sso id A58B93F0A00C619AF18F53C2F7C00D16 with session StandardSession[EF2E1F7E8B3FB7E3FDD4607E4A62D99E]
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:  Calling accessControl()
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:   Checking roles testUser
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: No role found:  administrator
  [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:  Successfully passed all security constraintsIn this case, you can see that the SSO ID that is generated matches the value set in the response.
  Bill

• Can Captivate pull a user's login information from a Single Sign On (SSO) page?

  Looking to start pushing out quizzes and trainings via Captivate.  We currently do not have a LMS, so I started testing using Acrobat.com.  We have a Single Sign On (SSO) page that passes our users credenitals on to all the sites and apps.  Is there a way for Captivate to get those credentials, when submitting quiz results?  Do they have to submit their quiz answers via an Acrobat sign in?  Can Captivate auto submit answers or does the end user have to hit the Submit/Submit All button?

  Hi there,
  There is no native feature for getting SSO information in Captivate course.
  If you don't have an LMS, and if you would like to use Acrobat.com reporting, then learner will have to click on the post results button, and enter their Adobe.com or Acrobat.com credentials, then hit submit. (Learners must have an Account on Acrobat.com or Adobe.com to submit the results.)
  If the course will be accessed within the organization's network, then you can also use Internal server reporting, that works exactly same except learners do not need an account on Adobe.com
  They will have to enter their Name and E-mail address to niquely identify them while fetching result reports.
  Thanks.

• CRM single sign on (SSO) to R/3 system via ITS 6.20

  Hi all
  I try to configue CRM2007 single sign on (SSO) to R/3 system via ITS 6.20.
  my configuraion process
  1. on CRM2007
  -profile : login/accept_sso2_ticket = 1
                login/create_sso2_ticket = 2
  - t-code : strustsso2 --> export system PSE
  2. on R/3 system
  - profile : login/accept_sso2_ticket = 1
                 login/create_sso2_ticket = 0
  - t-code : strust --> import certification --> add certification list --> save
  - t-code : oss2 --> execute with crm rfcdestination --> all green.
  3. ITS
  ~appserver      r/3.domain
  ~client     
  ~clientcert      1
  ~cookies      1
  ~exiturl     
  ~hostsecure      itshost.domain
  ~hostunsecure      itshost.domain
  ~language     
  ~login     
  ~logingroup     
  ~messageserver     
  ~multiinstanceservices      1
  ~password     
  ~portsecure      443
  ~portunsecure      80
  ~routestring     
  ~runtimemode      pm
  ~systemname      R/3 SID
  ~systemnumber      R/3 system no
  ~theme      99
  ~timeout      600
  ~urlimage      /sap/its/graphics
  ~urlmime      /sap/its/mimes
  ~usertimeout      240
  ~xgateway      sapdiag
  ~xgateways      sapdiag,sapxgwfc,sapxginet,sapextauth
  ~mysapcomgetsso2cookie 
  ~mysapcomusesso2cookie  1
  ~mysapcomssonoits  1
  for SSO check, execute web ui and then log on web ui
  I go to the Interation center and then go to the ERP information.
  but ITS log on screen appear.
  crm user and r/3 user is same.
  how can I do ??

  You use Server Port 3600, message server.
  It means, while creating a system you used wrong template and picked "SAP system using dedicated application server".
  You should use "SAP system with load balancing", since message server is doing load balancing.
  Once you selected correct template you will see "Message Server" instead of App and GW servers.
  Make sure to fill in
  Group  - Logon group to use. If not defined in R3, use SPACE
  Message Server - ansapdev01
  SAP Client = 150
  SAP System ID <SID> = DEV
  Server Port 3600
  System Type = SAP R/3
  It should work.
  Regards,
  Slava

• IRecuritment: Resume Parsing with Single Sign on (SSO)

  Application Version:11.5.9
  RDBMS Version:9.2.0.7
  Patch Level:IRC.D, HR_PF.G
  Problem Description/Question:
  Anyone successfully parsed resumes with Single Sign On enabled. We are unable to parse resume with SSO. If I disable the SSO the parsing is working fine. With the SSO enabled resume parsing giving the following error:
  javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
  Pl. let me know if you have any suggestions/work around to resolve the issue. Client is going to live in 3 weeks. Any help is appreciated.
  Thanks,
  V

  Hi Rainer,
  you can find this setting in your Internet Explorer. Use Tools -> Internet Options -> Advanced. In the section "Security", check "Enable Integrated Windows Authentication (requires restart)" and restart your browser.
  If the error still persists Note
  934138 might be useful. 
  Hope this will help out.
  Regards,
  André

• Single Sign On WiFi issue

  Hi folks!
  I've got the most frustrating issue I've ever experienced. Single Sign on for my wireless clients (laptops/tablets). It's literally hit or miss whether it happens or not.
  The most recent one is a rebuild of an ASUS T100TA. I installed 8.1 Pro from USB stick and used a USB LAN Adapter to connect the client to the domain the first time and to refresh GPs for the first few hours of use. After that, the device was to go to a
  new user who would be able to login via the Wireless settings being rolled out via GPO - see settings below.
  Now, I know the profile is 100% correct, as once logged in, the SSID is magically connected (based on the GPO settings to connect immediately, not seen in the image). Users have full access to any/all network services.
  But see to log a new user onto the device, I get connecting, then "Unable to connect to SSID. Logging on", and finally the dreaded There are no logon servers available message.
  But that's not strictly true either, as all my tested BEFORE
  sending to the site/user were successful. And even once on site, one of the admin staff logged in to test it (mustn't have trusted me :/) with 100% success. Logged her in without her ever being logged onto it before. But the following day, when the device's
  owner arrived and logged on, the bloody nope train arrived again, and it's been like that ever since. But once I log on with a cached profile, boom, WiFi connects via the GPO settings without an issue. There is another identical device in the same office and
  it works without an issue.
  Without sounding dramatic, I can find absolutely no one else that has experienced the same issues as I'm having and it's starting to look like the window and ground will be the destination for the wee tablet if it doesn't start to play ball.
  Any help would be so appreciated.
  Cheers!

  Hi Goducks90,
  We'd better start your own thread for the others to be better involved. As the issue is different from many aspects.
  Also please have a share with the current situation and what steps you have tried for the folks to share a quick and helpful suggestions. We may follow the suggestions in the thread below to ask in TechNet:
  How to ask a question efficiently in TechNet forum
  Best regards
  Michael Shao
  TechNet Community Support

• Oracle single sign on Synchronization issue

  We have pushed the Single Sign on Agent in our enviornment through SMS.With most of the users it seem to be working perfectly alrightAll the applications are listed and being synchronized.The issue is with some of the users we get the applications Greyed.Settings for Synchronization are selected but still its not working.
  its only with some of the users,With rest its working perfectly fine.where as the same MSI package have been installed on all the machines.
  Any body who have faced the same issue. Help

  Hi
  In my experience applications are greyed out when their template is available in the local cache and the user does not belong to the group the particular template has been assigned through the Administrative Console. Have you enabled role/group support?
  Regards

• WCI single sign on(SSO) configurations with Oracle Access Manager(OAM)

  I have to integrate the oracle access manager with the WCI(ALUI) for the SSO implementation.What are the configurations required to implement SSO with oracle access manager in WCI/ALUI

  Any answer to the last question on..?
  No, better explain my query with 2 scenarios:
  Scenario 1:
  Usual scenario authentication of a user to a web application without the single web functionality on the acces single manager:
  Login screen of the web application ====> Access to the web application home
  Scenario 2:
  Scenario authentication of a user to a single web application with web functionality on the acces single manager:
  Login screen oracle access manager ====> Display login web application ====> Access to the web application home
  My query is:
  You can configure the functionality of single sign on to access manager with a web application that does not have its login screen of the web application. For example:
  Login screen oracle access manager ====> Access to the web application home

• Proxy Server and single sign on (SSO)

  We are currently running Portal 7.  I've enabled single sign on via logon tickets from portal to our backend ECC 6.0 and CRM 5.0 systems and its working fine.  For demoing to clients we've employed the Apache webserver for reverse proxy.  This reverse proxy server is located in the DMZ, on a domain of its on.  I can access the portal fine through the reverse proxy but now the single sign on to our backend ECC and CRM systems doesn't work.  I know the issue lies with the difference in the domain.
  Has anyone come accross an issue such as this and can lend me some help?

  Hi,
  Domain relaxing will not work in this setting, ref. RFC 2109 http://www.ietf.org/rfc/rfc2109.txt
  What you need to do is to create a DNS alias for the portal on domain [something].[company].com. Then create a portal component which returns the MYSAPSSO2 cookie and create an URL iView for it with the DNS alias hostname and add it to the default framework page. In this way, persons logging in will get the MYSAPSSO2 cookie for both domains [sap subdomain].[network domain].local and [network domain].[company].com
  Regards
  Dagfinn

• Single-Sign-On (SSO) configuration on JAVA Stack through HTTP Header method

  Hello SDN community,
  in the context of a Proof of Concept, we are testing the integration of Microsoft Sharepoint Portal with SAP Backend (addin) systems.
  As the architecture impose use an external scenario (access from the internet), we couldn't use the Kerberos (SPNego) solution and thus we chosed the http header solution which in short uses an intermediary web server (in this case the IIS of the MOSS solution) which will act as authority.
  I miss information on how the workflow works for this http header authentication method. Through the visual administrator of the addin JAVA stack, it is possible to configure each application with a customized authentication (a choice of security modules). But this all that I know.
  My task is to configure SSO. From a sharepoint portal, the user should be able to access Web Dynpros and BSPs. I imagine that the very first call to a webdynpro or bsp (or maybe when we log on the sharepoint portal), the request to the WDP or BSP will first be forwareded by the intermediary server to the JAVA stack (or is it the SAP dispatcher that has to be configured).
  Is there an application to be built on the java stack to deal with the authentication, modify http header?
  What will the Java stack return? a sap long ticket? a token?
  How will the redirect work (to by example a BSP which is in the ABAP stack)?
  SAP preconise to secure with SSL the link between the intermediary web server and the JAVA stack, is IP restriction also a solution?
  A lot of questions about how this SSO http header should work,
  I would be very greatful for any help, or info,
  Kind regards,
  Tanguy Mezzano

  Hi Tanguy,
  to tell you the truth I'm really unsure about what you are trying to achieve. When I started posting to your thread I thought all you wanted was trying to access your J2EE engine via Browser and authenticate against the engine using HTTP Header Variables. Nevermind:
  Here are some answers to your question:
  in fact I did succeed, the problem was that even after domain-relaxation done by the J2EE, I had to change the domain of th SAP cookie to the bbbb.domain.com to be understood (I would have thought that all hosts in/under domain .domain would have accepted such a cookie but it seems that no...).
  The server does not care about the domain because Cookies in an HTTP Request do not contain any domain information. The domain is just important when the Cookie is set by the server so your Client (Browser) will know in which cases the Cookie may be sent or not. So if your domain is xxx.yyy.domain.com and your cookie is issued to .domain.com then your Browser will definitely sent it to all hosts under .domain.com (This includes xxx.yyy.domain.com etc.)
  My current scenario is: in a first request get a SAP Logon Ticket from the Java Stack, then change its domain and then directly call the backend with it.
  You can do that but there is no Client involved in this scenario. So this is useful if you just want to test the functionality (e.g. authentication to J2EE using Header Variables (This works finally!!!) and then use the fetched Logon Ticket to test SSO against any trusted Backend!!)
  So everything's is in a Java Client application without using any redirection.
  If I understand you, you're solution is from the Browser call a servlet (which is deployed on the Java Stack and has no authentication schema) by passing to it our http header.
  No, you should initially authenticate somewhere! I thought that maybe you had some resource you access before accessing the Java Stack. This could be any application (e.g. deployed on a Tomcat or JBOSS or other server or if you like even SAP J2EE). After authenticating there you are aware of the username and could use it to  procceed (e.g. Authenticate against the J2EE using the same user and HTTP Header authentication for that particular user!)
  That servlet will transfer the http header (with the HttpClient app) in order to get from the Java Stack a SAP Logon ticket, and then to redirect to the resource and by sending back the cookie in client browser. Am I correct?
  This was just a suggestion because I realized that there was no Client ever involved in any of your testing (looked strange to me!). I was just thinking that it would be easier for you to just get the Cookie into your Browser so your Browser would do the rest for you (in your case finally send the Logon Ticket Cookie to your Backend to test SSO using Logon Tickets!).
  The AuthenticatorServlet somehow serves as a Proxy to your client because your client is not able to set the Header Variable. That's why I initially suggested to use a Proxy (e.g. Apache) for that purpose. The problem is just that if you use a Proxy you will have to tell it somehow which username it should set in the Header Variable (e.g. using a URL Parameter or using a personalized client certificate and fetch the username (e.g. cn=<username> from the certificate!)
  This way of doing would simplify the calls for sso for each new application needing authentication, instead of having all code each time in it...
  I'm stuck again! Do you want to authenticate an End User or do you want to authenticate an application that needs to call any resources in your Backend that requires authentication?
  So my problem now, is how to call the servlet from the client browser:
  I'm trying to call my servlet from the browser but I don't succeed. I am able to understand how to reach a jsp from the Java Stack, but not to reach a servlet. I don't find the path to my servlet:
  <FORM method="POST" action="SSORedirect2" >
  A JSP is a servlet too. There is just no JAVA Class involved!
  You do not need any POST Request to invoke a Servlet.
  I see that my servlet is deployed, but I don't how what path to give to my form to invoke the servlet, here follows my web.xml
    <?xml version="1.0" encoding="UTF-8" ?>
    <!DOCTYPE web-app (View Source for full doctype...)>
  - <web-app>
    <display-name>WEB APP</display-name>
    <description>WEB APP description</description>
  - <servlet>
    <servlet-name>SSOredirect2</servlet-name>
    <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
    </servlet>
  - <servlet>
    <servlet-name>SSORedirect2.jsp</servlet-name>
    <jsp-file>/SSORedirect2.jsp</jsp-file>
    </servlet>
  - <security-constraint>
    <display-name>SecurityConstraint</display-name>
  - <web-resource-collection>
    <web-resource-name>WebResource</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
  - <auth-constraint>
    <role-name>DefaultSecurityRole</role-name>
    </auth-constraint>
    </security-constraint>
  - <security-role>
    <role-name>DefaultSecurityRole</role-name>
    </security-role>
    </web-app>
  If you have an AuthenticatorServlet Class all you need is to add the Servlet Mapping in your web.xml file
  e.g.
  <servlet>
    <description>
    </description>
    <display-name>AuthenticatorServlet</display-name>
    <servlet-name>AuthenticatorServlet</servlet-name>
    <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>AuthenticatorServlet</servlet-name>
    <url-pattern>/AuthenticatorServlet</url-pattern>
  </servlet-mapping>
  You can directly call the Servlet in your Browser by calling the URL provided in the url-pattern of your Servlet mapping ( in this case /AuthenticatorServlet). The engine will invoke the Class "com.atosorigin.examples.AuthenticatorServlet" in the background and do whatever you defined there!
  I have also to pass my http header and the redirectUrl in the GET request.
  If you like! I just suggested this for testing purposes. As I stated before you need a way to tell your proxy (or in your case AuthenticatorServlet) which user should be set when calling the Engine in order to authenticate using HTTP Header. You could use the URL Paramater to define the user you actually want to use when you set the Header Variable.
  I just introduced the redirectURL because you were talking about redirects all the time. So if you finally want to call the Backend you could define the Backend URL in the redirectURL Parameter and the Servlet will make sure that you are redirected to this location after the whole process!
  Thx for your input very helpful,
  But again 0 points
  Cheers

• Single Sign On (SSO) Internet Access via ASA

  Good Afternoon,
  I'm looking for a way for users to authenticate through the ASA to determine whether or not they are granted access to the Internet. I would like to provide two separate Active Directory groups, for example, GRP-NO-INTERNET and GRP-INTERNET. When a user accesses the Internet I would like the firewall to obtain a SSO credential and query AD to see if they have access or not and respond accordingly.
  I'm currently working with TAC to investigate the possibility of using DAP but was curious if others have successfully tested this or what other options may be available. The end result would be to eliminate the credentials prompt by the firewall and have the authentication done in the background (somehow) without user interaction.
  Thanks in advance to anyone's suggestions.
  -Mike

  Actually, it should be possible starting ASA 8.4.2. You will have to configure an AD Agent on Windows. Please see the following link
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_idfw.html
  Please rate if it helps. Kind regards

• Configuring Single Sign On (SSO) in JAAS

  Hi All,
  I am trying to configure SSO in JBoss . I have my custom LoginModules which I have configured in login-config.xml
  <application-policy name="LoginModule1">
     <authentication>
         <login-module code="com.MyLoginModule" flag="required">
         </login-module>
     </authentication>
  </application-policy>
  <application-policy name="LoginModule2">
     <authentication>
         <login-module code="com.MyLoginModule" flag="required">
              <module-option name="useSharedState">true</module-option>
         </login-module>
     </authentication>
  </application-policy>The name of my web applications are sso1 and sso2 . Both of them use the same instance of JBoss .
  I have also configured auth.conf
  sso1 {
  com.MyLoginModule required;
  sso2 {
  com.MyLoginModule required  useSharedState=true;
  };I am logging in to sso1 and their I am checking
  if user is logged in , if not then user is presented with login page .
  The username and passwords are checked and then user is forwaded to
  next page .
  The MyLoginModule code is :
  if ("true".equalsIgnoreCase((String)this.options.get("useSharedState")))
       userName = (String)this.sharedState.get("javax.security.auth.login.name");
       password = (String)this.sharedState.get("javax.security.auth.login.password");
  } else {
       userName = request.getParameter("userName");
       password = request.getParameter("password");
       //save the username and password into the shared state
       this.sharedState.put("javax.security.auth.login.name",userName);
       this.sharedState.put("javax.security.auth.login.password",password);
  }     when user logs in for the first time the
  username and password is put into sharedstate . Now when I fwd the user
  to sso2 application , MyLoginModule again comes into action , the 'if'
  part of the code is executed but the
  this.sharedState.get("javax.security.auth.login.name") or
  this.sharedState.get("javax.security.auth.login.password") returns null
  I have configured the jboss-web.xml also in respective webapps.
  <jboss-web>
  <security-domain>java:/jaas/LoginModule1</security-domain>
  <context-root>/sso1</context-root>
  </jboss-web>
  <jboss-web>
  <security-domain>java:/jaas/LoginModule2</security-domain>
  <context-root>/sso2</context-root>
  </jboss-web>Also server.xml is configured properly
  <Valve className="org.apache.catalina.authenticator.SingleSignOn" />     Any idea whats failing ?

  Hi All,
  I am trying to configure SSO in JBoss . I have my custom LoginModules which I have configured in login-config.xml
  <application-policy name="LoginModule1">
     <authentication>
         <login-module code="com.MyLoginModule" flag="required">
         </login-module>
     </authentication>
  </application-policy>
  <application-policy name="LoginModule2">
     <authentication>
         <login-module code="com.MyLoginModule" flag="required">
              <module-option name="useSharedState">true</module-option>
         </login-module>
     </authentication>
  </application-policy>The name of my web applications are sso1 and sso2 . Both of them use the same instance of JBoss .
  I have also configured auth.conf
  sso1 {
  com.MyLoginModule required;
  sso2 {
  com.MyLoginModule required  useSharedState=true;
  };I am logging in to sso1 and their I am checking
  if user is logged in , if not then user is presented with login page .
  The username and passwords are checked and then user is forwaded to
  next page .
  The MyLoginModule code is :
  if ("true".equalsIgnoreCase((String)this.options.get("useSharedState")))
       userName = (String)this.sharedState.get("javax.security.auth.login.name");
       password = (String)this.sharedState.get("javax.security.auth.login.password");
  } else {
       userName = request.getParameter("userName");
       password = request.getParameter("password");
       //save the username and password into the shared state
       this.sharedState.put("javax.security.auth.login.name",userName);
       this.sharedState.put("javax.security.auth.login.password",password);
  }     when user logs in for the first time the
  username and password is put into sharedstate . Now when I fwd the user
  to sso2 application , MyLoginModule again comes into action , the 'if'
  part of the code is executed but the
  this.sharedState.get("javax.security.auth.login.name") or
  this.sharedState.get("javax.security.auth.login.password") returns null
  I have configured the jboss-web.xml also in respective webapps.
  <jboss-web>
  <security-domain>java:/jaas/LoginModule1</security-domain>
  <context-root>/sso1</context-root>
  </jboss-web>
  <jboss-web>
  <security-domain>java:/jaas/LoginModule2</security-domain>
  <context-root>/sso2</context-root>
  </jboss-web>Also server.xml is configured properly
  <Valve className="org.apache.catalina.authenticator.SingleSignOn" />     Any idea whats failing ?

• Sample Application - Single Sign On from PeopleSoft to Infoview

  <p>This zip file contains the code which provides the capability of Single Sign On (SSO) from the PeopleSoft portal to the BusinessObjects Enterprise Infoview portal even to the report level. See the documentation in the docs folder for information on what this code does and how to install it within your environment.</p><p> *********************</p><p>Update: Please be sure to download this <a href="http://ftp1.businessobjects.com/outgoing/CHF/boXIr2psoftwin_chf.zip">patch</a> (KBase<span style="margin-left: 5px"><a href="http://technicalsupport.businessobjects.com/KanisaSupportSite/search.do?cmd=displayKC&docType=kc&externalId=1544953&sliceId=&dialogID=14530755&stateId=1 0 14532113">1544953</a>)</span> for the Integration Kit for PeopleSoft software as well. It resolves a security issue with how the PeopleSoft logon token is handled by BusinessObjects Enterprise.</p>

  Hello Boris,
  The error happens seemingly at the very end of the SSO login.  The Infoview screen is created, and after it is all built out the error appears.  The error appears before any user interaction and before a report can be run.  Clicking OK makes the error go away, but InfoView is not fully functional (folder hierarchy doesn't expand, etc etc).
  WAS log file excerpt at time of error:
  [5/7/07 15:31:58:926 CDT] 6ace6575 SystemOut     O 15811343 [Servlet.Engine.Transports : 15] ERROR com.businessobjects.encyclopedia.uitoolkit.web.ToolkitServlet  - Request = /businessobjects/enterprise115/desktoplaunch/applications/init.bouitoolkit
  [5/7/07 15:31:58:941 CDT] 6ace6575 SystemOut     O 15811358 [Servlet.Engine.Transports : 15] ERROR com.businessobjects.encyclopedia.uitoolkit.web.ToolkitServlet  - From = wxpch1-bfqb.cna.com
  [5/7/07 15:31:58:941 CDT] 6ace6575 SystemOut     O 15811358 [Servlet.Engine.Transports : 15] ERROR com.businessobjects.encyclopedia.uitoolkit.web.ToolkitServlet  - java.lang.NullPointerException
  [5/7/07 15:31:58:941 CDT] 6ace6575 WebGroup      I SRVE0181I: [Desktop Web Examples] [/businessobjects/enterprise115/desktoplaunch] [Servlet.LOG]: java.lang.NullPointerException: java.lang.NullPointerException
       at com.businessobjects.encyclopedia.reportviewer.encyclopedia.EncyclopediaApplication.init(EncyclopediaApplication.java:167)
       at com.businessobjects.encyclopedia.uitoolkit.web.HtmlApplicationFactory.createApplication(HtmlApplicationFactory.java:103)
       at com.businessobjects.encyclopedia.reportviewer.wrapper.InfoViewPanel.init(InfoViewPanel.java:106)
       at com.businessobjects.encyclopedia.uitoolkit.web.HtmlApplicationFactory.createApplication(HtmlApplicationFactory.java:103)
       at com.businessobjects.encyclopedia.uitoolkit.web.ToolkitServlet.doPost(ToolkitServlet.java:265)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.ibm.ws.webcontainer.servlet.StrictServletInstance.doService(StrictServletInstance.java:110)
       at com.ibm.ws.webcontainer.servlet.StrictLifecycleServlet._service(StrictLifecycleServlet.java:174)
       at com.ibm.ws.webcontainer.servlet.IdleServletState.service(StrictLifecycleServlet.java:313)
       at com.ibm.ws.webcontainer.servlet.StrictLifecycleServlet.service(StrictLifecycleServlet.java:116)
       at com.ibm.ws.webcontainer.servlet.ServletInstance.service(ServletInstance.java:283)
       at com.ibm.ws.webcontainer.servlet.ValidServletReferenceState.dispatch(ValidServletReferenceState.java:42)
       at com.ibm.ws.webcontainer.servlet.ServletInstanceReference.dispatch(ServletInstanceReference.java:40)
       at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.handleWebAppDispatch(WebAppRequestDispatcher.java:1171)
       at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java:676)
       at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java:203)
       at com.ibm.ws.webcontainer.srt.WebAppInvoker.doForward(WebAppInvoker.java:125)
       at com.ibm.ws.webcontainer.srt.WebAppInvoker.handleInvocationHook(WebAppInvoker.java(Compiled Code))
       at com.ibm.ws.webcontainer.cache.invocation.CachedInvocation.handleInvocation(CachedInvocation.java:71)
       at com.ibm.ws.webcontainer.srp.ServletRequestProcessor.dispatchByURI(ServletRequestProcessor.java:246)
       at com.ibm.ws.webcontainer.oselistener.OSEListenerDispatcher.service(OSEListener.java:334)
       at com.ibm.ws.webcontainer.http.HttpConnection.handleRequest(HttpConnection.java:56)
       at com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnection.java(Compiled Code))
       at com.ibm.ws.http.HttpConnection.run(HttpConnection.java:458)
  This and the other information you've requested can be found in case #302807226.
  Thank you for your help,
  Brian

• Enable Single Sign On in Share point 2013 with external IDP like CAS (Central Authentication Service)

  Hi,
  We need to configure our share point 2013 web application to work with third party site using Single Sign On (SSO) service.
  Currently we are using CAS (Central Authentication Service) as third party site. Trying to accomplish this from the last few days didn't found anything helpful.
  Please let us know is share point 2013 support authentication with any external site and if not is there any alternative to achieve this e.g. via ADFS or something else. Please help.
  Neetu Tanwar Software Developer

  You can do CAS and SharePoint auth using below
  Check below
  http://webcache.googleusercontent.com/search?q=cache:EhC3JLvqDWwJ:balendrant.blogspot.com/2013/05/external-authentication-providers-for.html+&cd=4&hl=en&ct=clnk&gl=in&client=firefox-beta
  http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CFEQFjAI&url=http%3A%2F%2Fdownload.microsoft.com%2Fdocuments%2FFrance%2FInterop%2F2010%2FFederated_Collaboration_With_Shibboleth_2_0_and_SharePoint_2010_technologies-1_0.docx&ei=i0u1U6bVB4KMuATP94II&usg=AFQjCNF09JusWUS97-em12JFpaH64Pxa3A&bvm=bv.70138588,d.c2E&cad=rja
  If this helped you resolve your issue, please mark it Answered

• ApEx 2.1.0.00.39 as Partner Application in Oracle AS Single Sign-On

  Hi,
  I've installed the last Application Express 2.1.0.00.39 (oracle-xe-10.2.0.1-1.0.i386.rpm and oracle-xe-univ-10.2.0.1-1.0.i386.rpm) but, when I try to "create an authentication scheme" for configure an ApEx application to use SSO under
  Home>Application Builder>Application xxx>Shared Components>Authentication Schemes>Create Authentication Scheme
  in the second step of the procedure I don't find the choice "Oracle Application Server Single Sign-On (Application Express engine as Partner App)".
  I found only these:
  - Show Built-In Login Page and Use Open Door Credentials
  - Show Login Page and Use Application Express Account Credentials
  - Show Login Page and Use Database Account Credentials
  - Show Login Page and Use LDAP Directory Credentials
  - No Authentication (using DAD)
  even if under the help voice "V Information" the others two are describes:
  Oracle Application Server Single Sign-On (Application Express engine as Partner App) delegates authentication to the Oracle Application Server Single Sign-On (SSO) Server. This Application Express site must have already been registered as a partner application with the SSO server. For more information, contact your administrator.
  Oracle Application Server Single Sign-On (My application as Partner App) delegates authentication to the SSO server. In this case, you must register an application with SSO as a partner application. See the next page for more details.
  Does Someone know how to resolve it?
  Thanks
  Emanuele

  Thanks for all your help Scott
  I've added the -PORTAL_SSO- .....
  After this I've had a new problem same to this: Re: SSO Authentication Not Working
  "get the error below and it then directs me to http://hostx/htmldb/f? and the "p=" is missing"
  But after a lot of tests I discovered where was the problem: "The apache configuration for the proxy!!"
  This an extract from the installation doc :
  SetEnv force-proxy-request-1.0 1
  ProxyPass /htmldb http://127.0.0.1:8080/htmldb
  ProxyPassReverse /htmldb http://127.0.0.1:8080/htmldb
  ProxyPass /i http://127.0.0.1:8080/i
  ProxyPassReverse /i http://127.0.0.1:8080/i
  ProxyPass /sys http://127.0.0.1:8080/sys
  ProxyPassReverse /sys http://127.0.0.1:8080/sys
  where you replace 127.0.0.1 with the name OR ip address of your XE installation. 8080 is the default http port of your XE installation. "
  Well, I used the IP ADDRESS and in the @regapp > listener_token the NAME!!! (HTML_DB:servername.domain:80)
  I changed the IP ADDRESS with the NAME, restarted the httpd service and now all works fine.
  Emanuele