Integrating WebPCM Applications into Single Sign On (SSO) Tom Schaefer Better Software Solutions, Inc. UN 4023 V
Agenda What is SSO? How does it work? Tools for SSO on ClearPath Integrating Active Directory into ClearPath applications. Tying it all together 2
What is Single Sign On? Ability for applications to use Enterprise user and password. Federated login allows shared credentials automatically. Eliminates multiple credentials for each application. Common tools include SAML, Kerberos and OAuth/OAuth2 3
Why Single Sign On? With Google and Facebook, users have expectations of easier sign on process. Using Active Directory means single password security policy enforced Two-factor your applications as a bonus Lockout a user one place handles everywhere. That can also be a risk. 4
How does SSO work? Basic case utilizes LDAP as keeper of the passwords. Intermediary ( Federated Login) SAML SecureAuth Handles off-network access automatically. OAuth Twitter, Facebook, Google Kerberos Authenticate header for Kerberos 5
Tools for SSO on ClearPath Atlas Web Server Kerberos LDAP eportal can use SAML for SSO too (not covered here). 6
Atlas Web Server Unisys native web server ( WebTS ) Has interface to Kerberos and NTLM Atlas supports usercode/password protection of only entire site all or nothing! What about SSO for just a few pages? LDAP good alternative to single user and password maintained by each application. 7
Kerberos Common user system based on tickets Trusted 3 rd -party authenticates user. Browsers allow integration with 401 Authenticate header Also allows MARC login of MCP users. 8
LDAP Lightweight Directory Access Protocol Hierarchal database of user and attributes Email address Address Phone number, etc. Can be used to access Microsoft Active Directory information. Supported on MCP via LDAPSupport 9
Browser Integration with Kerberos and Atlas More details 10
Using Atlas Header Functions GET_HEADER Used to get authentication header CALL GET_HEADER OF WEBAPPSUPPORT USING COMS-MESSAGE-IN, WS-HDR, WS-VALUE GIVING WS- RESULT. SET_STATUS_CODE Set status code to 401 causes browser to send ticket Then, call library functions to authenticate Kerberos ticket. FireBug or HTTPWatch useful for checking headers. NA ATLASSUPPORT TRACE + DATA Files under *ATLAS/ADMIN/ATLASSUPORT/TRACE 11
401 Authenticate Header 12
401 Header Detail Client Requests page GET /index.html HTTP/1.1 Host: www.myhost.com Server Reply HTTP/1.1 401 Authorization Required Date: Wed, 11 Sep 2013 15:25:00 GMT WWW-Authenticate: Negotiate Content-Type: text/html Non-Kerberos Browsers will prompt 401 dialog 13
401 Detail Continued Request with ticket GET /index.html HTTP/1.1 Host: www.myhost.com Authorization: Negotiate <really long ticket> If ticket is accepted, browser shows the page! But, how does user know this happened? Message Welcome <user>, you have been logged into the system via Single Sign On 14
ClearPath LDAP Support LDAPSUPPORT library Native calls to your Enterprise Active Directory Kerberos supplies Active Directory name: ThomasMSchaefer Can search LDAP for email or other attributes. 15
Calling LDAPSupport LDAP_BIND Connects to LDAP with valid credentials. LDAP_SET_DIRENTRY Search organizational hive DC=ENT,DC=DS,DC=MYHOST,DC=COM LDAP_SEARCH Use LDAP_C_WHOLESUBTREE LDAP_SEARCH_RESPONSE Iterate through results. 16
How to Interact with your Directory Services Team They don t know anything about Atlas SSO means different things to different users. SecureAuth can use an intermediary but Kerberos can use AD MCP Kerberos setup requires config files from directory services team (KEYTAB files). 17
Hints to make Kerberos work Website needs to be in Local Intranet zone Browser will not send credentials if not in this zone. MCP Kerberos tracing is your friend. Unisys Kerberos manual quite helpful. Applications needs to know if user is internal. Unless you want to to give external users a 401 prompt. 18
More hints Atlas Config for Kerberos Enable ANONYMOUSWEB as a local alias +KERBEROS *ANYNAME@<REALM> LOCALALIAS = ANONYMOUSWEB For other users, LOCALALIAS cannot have ACCESSCODEREQUIRED Firewall Access UDP/123, Both/464, TCP/135, TCP/636, Both/389, TCP/3268, TCP/3269, Both/88 19
LDAP Hints LDAP_BIND can take 10 seconds depending upon network and AD server location. Bind once at start, then just SEARCH. Single Bind call for whole program. Use separate libraries or an ALGOL connection library for multiple calls: One for service account and one for user 20
Questions? toms@bettersoftwaresolutions.com @BSSI_Consulting www.bettersoftwaresolutions.com 727-437-2771 21
References Unisys Manuals LDAPSupport Kerberos Guide WEBAPPSUPPORT Manual RFC Authenticate Header RFC 4559 Adding SecureAuth to your web apps. 22