Windows Active Directory Single Sign-on for stSoftware servers
Within a Windows domain network IE browsers can automatically login to stSoftware servers.
Overview
Single sign using Microsoft LAN Manager (NTLM) allows users within a intranet enviroment to use the system without the need to re-enter their password once they have logged into the Windows network.
Note the NTLM protocol can only be used within a internet environment.
Configuration
Within a Windows intranet environment . Multiple options available within the
The system has a environment variable “SSO_DISABLE” which can be used to completely disable Single Sign On for a server.
Each layer can have the single sign on (SSO) mode set.
-
Blank
-
Hybrid
-
Transparent
Each login in stSoftware has three possible SSO modes :-
-
blank – The layer's configuration will be used
-
“false” - SSO will be disabled for this user.
-
Transparent
-
Hybrid
When a user that is not currently logged into the system requests a secure page fromstSoftware the SSO mode will be calculated by first checking the environment, if not disabled then the login record will be checked to see if the SSO mode has been specified, if not specified then the layer's mode will be used.
/* Is SSO enabled ?
*
* If disabled at the
* Signal Sign On modes
* 1) TRANSPARENT - only transparent login
* 2) HYBRID - Transparent or database password.
*
* @param layer the layer
* @param userModeSSO user wants to enable SSO
* @return true if enabled.
* @throws Exception a serious problem.
*/
public static String ssoMode( final VirtualDB layer, final String userModeSSO) throws Exception
{
DBSysPrefs sysPrefs = layer.getGlobalObject().getSysPrefs();
String ssoDisable= sysPrefs.getString( DBSysPrefs.DBFIELD_SSO_DISABLE);
if( "yes".equalsIgnoreCase(ssoDisable) || "true".equalsIgnoreCase(ssoDisable))
{
return "";
}
if( MODE_HYBRID.equalsIgnoreCase(userModeSSO) )
{
return MODE_HYBRID;
}
else if( MODE_TRANSPARENT.equalsIgnoreCase(userModeSSO) )
{
return MODE_TRANSPARENT;
}
else if( "false".equalsIgnoreCase(userModeSSO) )
{
return "";
}
else if( StringUtilities.isBlank(userModeSSO) == false)
{
LOGGER.warn("invalid SSO user mode: " + userModeSSO );
}
String layerModeSSO= sysPrefs.getString( DBSysPrefs.DBFIELD_SSO_MODE);
if( MODE_HYBRID.equalsIgnoreCase(layerModeSSO) )
{
return MODE_HYBRID;
}
else if( MODE_TRANSPARENT.equalsIgnoreCase(layerModeSSO) )
{
return MODE_TRANSPARENT;
}
else if( StringUtilities.isBlank(layerModeSSO) == false)
{
LOGGER.warn("invalid SSO layer mode: " + layerModeSSO );
}
return "";
}
If the SSO mode is calculated to be “HYBRID” then the user's browser will be redirected to a protected page on the IIS server. The protected page on the IIS server will cause the user to authenticated via NTML. Once the user is authenticated the user details are encrypted with a private key known as a “shared secret” and then these encrypted details are re-directed back to the calling webserver. The calling webserver decrypts the user details using the “shared secret” private key. If the authentication is successful then a session cookie is set remember the current user.
If the SSO mode is calculated to be “TRANSPARENT” then the normal login form will be displayed. The user will enter their user name & password. When the user submits their credentials these credentials will be combined with the SSO domain (which is specified on the login record) and a direct call is made to the defined IIS server from the webserver to validate the user's credentials.
If the SSO mode is calculated to be “NORMAL” or BLANK then the normal login form will be displayed and the entered user credentials are then checked against the encrypted password stored in the login class.
Advantages and disadvantages of the different SSO modes.
|
MODE |
Pros |
Cons |
|---|---|---|
|
Transparent |
|
|
|
Hybrid |
|
|
|
Normal |
|
|