Overview

Single sign-on (SSO) is a mechanism of access control that can be applied on multiple related, but independent software systems. With this mechanism a user logs in once and gains access to multiple systems without being prompted to log in again for each individual application. Conversely, single sign-off is property mechanism whereby a single action of signing out terminates access to multiple software systems.

As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication.

Benefits

  1. Reducing password fatigue from different user name and password combinations.
  2. Reducing time spent re-entering passwords for the same identity.
  3. Reduced Logins For Discreet Systems
    1. Corporate Systems
    2. Shared Intranet/Web Applications
    3. Web Logon Aggregators
  4. Reduced cost to reset a password
  5. Reduced time spent logging into multiple systems each time
  6. Reduces multiple authentication, unnecessary user clicks, forgotten passwords, multiple profiles.
  7. Limited time and resources to develop IT solutions.

Criticisms

  1. As single sign-on can provide access to many resources/systems at once using a single credential (“keys to the castle”). This may be misused in case the credentials are available with other person.
  2. Single sign-on also makes the authentication systems highly critical; a loss of their availability can result in denial of access to all systems unified under SSO.

Designs

Follow are the basic design patterns used to implement single sign on solutions.

1.  Ad-hoc Encrypted Token (Currently Not Supported/Included in Future Roadmap)

Applications use symmetric and public key cryptography to encrypt the application data that are used for SSO.

Please refer below:-

 

400px-3.1_SingleSignOn_10001

 

This SSO design can be integrated with Ephesoft using Active Directory only. A key store has to be maintained in all the applications which are to be unified under SSO. Thus such a provision must be available on applications which are to be unified under SSO.

Pros:-

  1. Easy to set up and implement.
  2. No dependency on other system.

Cons:-

  1. Not a unified solution.
  2. Each site has to manage cryptographic key.

2. Using third party SSO agents or Identity Management Systems like OAM, SiteMinder etc. (Supported Method)

In this approach application uses the service provided by SSO agents.

Please refer below:-

 

400px-3.1_SingleSignOn_10002

 

Current solution developed by Ephesoft is based on this design (design # 2).

Description

Ephesoft application can now be configured using following security types:-

1.       Ephesoft default Security using LDAP, AD, Tomcat.

2.       SSO authentication and Authorization at Ephesoft end using LDAP, AD etc.

3.       SSO authentication and authorization.

Security type for Ephesoft application can be configured through ‘web.xml’.

Following properties needs to be configured in ‘web.xml’:-

1.       ‘authenticationType’ context parameter for defining the security type mentioned above.

It can be configured with the following values:-

a.       ‘0’ – Ephesoft default Security using LDAP, AD, and Tomcat

b.      ‘1’ – SSO authentication and Authorization at Ephesoft end using LDAP, AD etc.

c.       ‘2’ – SSO authentication and authorization.

Please refer below:-

 

400px-3.1_SingleSignOn_10003

 

2.       In case the above parameter ‘authenticationType’ is configured with value ‘1’ or ‘2’, then following parameters needs to be configured:-

A.      Following parameters needs to be configured for ‘authenticationFilter’ filter:-

a.       ‘requestUsernameHeader’ is used for defining the header name used by SSO Agent to set the user-name of authenticated user in the request. The same header name will be used by Ephesoft application to fetch desired information from SSO Agent. (This must be used for both types of security types i.e., 1 and 2).

b.      ‘logoutUrl’ is used for defining logout URL where user will be redirected by the Ephesoft Application after user logs-out by clicking on sign-out button in application. Complete URL is expected for this parameter value. (This must be used for both types of security types i.e., 1 and 2).

 

c.       ‘requestGroupnameHeader’ is used for defining the header name used by SSO Agent to set the group name which belongs to authenticated user in the request. The same header name will be used by Ephesoft application to fetch desired information from SSO. Only one group name is expected for this header value. (This must be used only for security type 2).

d.      ‘requestSuperAdminHeader’ s used for defining the header name used by SSO Agent to set whether the group name belonged to super admin role or not in the request. The same header name will be used by Ephesoft application to fetch desired information from SSO Agent. Possible values expected for this header is ‘true/false’. (This must be used only for security type 2).

Please refer below:-

 

400px-3.1_SingleSignOn_10004

 

 

B.      All the ‘<security-constraint>’ and ‘<login-config>’ needs to be commented or deleted as all this part will be managed by SSO Agent.

 

C.      A ‘default_group’ property has been added in ‘application.properties’ file which defines a default group to be used in case group name is not provided in the request header.

 

(This must be used only for security type 2)
For security types ‘1’ and ‘2’ any realm configured for Ephesoft application (configured for earlier shared releases) needs to be removed.

 

From 3.1 we need to configure the following along with other configurations already mailed:-

 

We need to remove the new session time out feature in case of authentication type set to 1 or 2, thus we need to follow the following steps:

 

1. Comment the ‘SessionTimeoutFilter’ and ‘SessionTimoutServelet’ entries in ‘web.xml’.

 

Please refer below:-

 

400px-3.1_SingleSignOn_10005

 

2. We need to remove the entry of ‘session-timeout.js’ from all the html files.

Please refer below:-

 

400px-3.1_SingleSignOn_10006

 

 

Conclusion

Ephesoft can now be integrated with single sign on systems for purpose of authentication, authorization or both.

 

 

 

Was this article helpful to you?

wikiadmin

Comments are closed.