Recent Posts

    Authors

    Published

    Tag Cloud

    Windows Active Directory Single Sign-on for stSoftware servers

    Within a Windows domain network IE browsers can automatically login to stSoftware servers.

    Overview

    Single sign using Microsoft LAN Manager (NTLM) allows users within a intranet enviroment to use the system without the need to re-enter their password once they have logged into the Windows network.

    Note the NTLM protocol can only be used within a internet environment.  

    Configuration

    Within a Windows intranet environment . Multiple options available within the

    The system has a environment variable “SSO_DISABLE” which can be used to completely disable Single Sign On for a server.

     

    Each layer can have the single sign on (SSO) mode set.

    1. Blank

    2. Hybrid

    3. Transparent

     

    Each login in stSoftware has three possible SSO modes :-

    1. blank – The layer's configuration will be used

    2. “false” - SSO will be disabled for this user.

    3. Transparent

    4. Hybrid

     

    When a user that is not currently logged into the system requests a secure page fromstSoftware the SSO mode will be calculated by first checking the environment, if not disabled then the login record will be checked to see if the SSO mode has been specified, if not specified then the layer's mode will be used.

     

         /* Is SSO enabled ?
         *
         * If disabled at the
         * Signal Sign On modes
         *    1) TRANSPARENT - only transparent login
         *    2) HYBRID - Transparent or database password.
         *
         * @param layer the layer
         * @param userModeSSO user wants to enable SSO
         * @return true if enabled.
         * @throws Exception a serious problem.
         */
        public static String ssoMode( final VirtualDB layer, final String userModeSSO) throws Exception
        {
            DBSysPrefs sysPrefs = layer.getGlobalObject().getSysPrefs();
    
            String ssoDisable= sysPrefs.getString( DBSysPrefs.DBFIELD_SSO_DISABLE);
            if( "yes".equalsIgnoreCase(ssoDisable) || "true".equalsIgnoreCase(ssoDisable))
            {
                return "";
            }
    
            if( MODE_HYBRID.equalsIgnoreCase(userModeSSO) )
            {
                return MODE_HYBRID;
            }
            else if( MODE_TRANSPARENT.equalsIgnoreCase(userModeSSO) )
            {
                return MODE_TRANSPARENT;
            }
            else if( "false".equalsIgnoreCase(userModeSSO) )
            {
                return "";
            }
            else if( StringUtilities.isBlank(userModeSSO) == false)
            {
                LOGGER.warn("invalid SSO user mode: " + userModeSSO );
            }
    
            String layerModeSSO= sysPrefs.getString( DBSysPrefs.DBFIELD_SSO_MODE);
    
            if( MODE_HYBRID.equalsIgnoreCase(layerModeSSO) )
            {
                return MODE_HYBRID;
            }
            else if( MODE_TRANSPARENT.equalsIgnoreCase(layerModeSSO) )
            {
                return MODE_TRANSPARENT;
            }
            else if( StringUtilities.isBlank(layerModeSSO) == false)
            {
                LOGGER.warn("invalid SSO layer mode: " + layerModeSSO );
            }
    
            return "";
        }

     

    If the SSO mode is calculated to be “HYBRID” then the user's browser will be redirected to a protected page on the IIS server. The protected page on the IIS server will cause the user to authenticated via NTML. Once the user is authenticated the user details are encrypted with a private key known as a “shared secret” and then these encrypted details are re-directed back to the calling webserver. The calling webserver decrypts the user details using the “shared secret” private key. If the authentication is successful then a session cookie is set remember the current user.

    If the SSO mode is calculated to be “TRANSPARENT” then the normal login form will be displayed. The user will enter their user name & password. When the user submits their credentials these credentials will be combined with the SSO domain (which is specified on the login record) and a direct call is made to the defined IIS server from the webserver to validate the user's credentials.

    If the SSO mode is calculated to be “NORMAL” or BLANK then the normal login form will be displayed and the entered user credentials are then checked against the encrypted password stored in the login class.

    Advantages and disadvantages of the different SSO modes.

    MODE

    Pros

    Cons

    Transparent

    • Same password is always used for windows login and web server login

    • User credentials are transmitted to the webserver.

    Hybrid

    • The password is NEVER sent to the web server

    • Same password is always used for windows login and web server login

    • If the user is not on the Intra-net then an old style login dialog box is shown which we have no control over.

    Normal

    • Functional users that do not exist in the windows domain can be created.

    • User credentials are transmitted to the webserver.