HP Asset Manager Implementing Single Sign On for Asset Manager Web 5.x Legal Notices... 2 Introduction... 3 Using AM 5.20... 3 Using AM 5.12... 3 Design Blueprint... 3 Technical Design... 3 Requirements, Guidelines and Considerations... 3 Minimum Requirements... 3 Workflow and Tasks... 4 Old piece of code... 4 New piece of code... 5 JavaBean Example:... 5 JavaBean Requirements... 5 Sample code... 5 Compiling JavaBeans:... 6 Synchronizing Windows and Web client authentications... 6 For more information... 7
Legal Notices Copyright 1994-2008 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Adobe, Adobe logo, Acrobat and Acrobat Logo are trademarks of Adobe Systems Incorporated. Corel and Corel logo are trademarks or registered trademarks of Corel Corporation or Corel Corporation Limited. Java is a US trademark of Sun Microsystems, Inc. Microsoft, Windows, Windows NT, Windows XP, Windows Mobile and Windows Vista are U.S. registered trademarks of Microsoft Corporation. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. UNIX is a registered trademark of The Open Group. 2
Introduction To implement Single Sign-On (SSO), Identity Management tools such as Netegrity s Siteminder or Webseal can be used with HP Asset Manager 5.x Web application (5.12 and later). This document can be used as a blueprint to install and configure SSO with the HP Asset Manager 5.x Web application (5.12 and later). It describes the requirements and necessary steps to carry out this implementation. Using AM 5.20 SSO is now handled out of the box and customization is described in the product documentation, manual Administration, section Sharing user authentication using Lightweight Single Sign-On (LW- SSO) Using AM 5.12 Design Blueprint Technical Design Identity Management tools provide authentication and authorization for a particular user. When a Web application (such as Asset Manager Web) is protected by SSO, the user is redirected to an authentication server where they are presented with a logon page. Once the user has logged on, the authentication server verifies that the user has access to the Web application. If the user does have access, the authentication server will redirect the user back to the initial Web application. In addition to the redirect, the authentication server will append information about the user within the HTTP header data. This header data can then be used as needed by the Web application. Although the SSO authentication server can authenticate and authorize a user for a particular Web application, Asset Manager has its own unique logon process. The use of SSO as the logon method requires the following: Working Single Sign-on tool with established accounts and access to the Asset Manager Web application. (The process to protect a particular Web application will vary depending on the tool. Please see your SSO administrator for information on what is required.) Creation of a new JavaBean that Asset Manager Web will use to pull HTTP header information supplied by SSO. This will be used by Asset Manager Web to allow a user to automatically log in. Modification of Asset Manager Web configuration files to use this sign-on process. Employee s username within Asset Manager (Table SQLName: amempldept, Field SQLName: UserLogin) must match the username used within SSO. Requirements, Guidelines and Considerations Minimum Requirements Experience with Asset Manager, Asset Manager Web Familiarity with Web development and related technologies (e.g. Tomcat) Java development experience (will require creating and compiling custom Java classes) 3
Workflow and Tasks This section describes the tasks involved for setting up SSO with Asset Manager 5.12 Web. Step Action/Process Action Description Required Input 1 Setup SSO to protect the Asset Manager Web URL 2 Establish SSO accounts for users that will require access to Asset Manager Web. 3 Create SSO authentication JavaBean 4 Modify the Asset Manager Web applicationcontext.xml configuration file, in particular to add the newly created JavaBean class to the. SSO must be configured to protect the Asset Manager Web. Contact the SSO administration team. All users that will access Asset Manager Web will require SSO accounts. These accounts must have usernames that match the employee s username within Asset Manager. Develop custom JavaBean that will pull HTTP header information passed from SSO. The JavaBean should pull the validated username and return that value to the Asset Manager Web logon process. Open the following file for editing: TOMCAT\webapps\AssetManag er\web-inf\classes\applicationcontext.xml Verify SSO accounts exist and the username of the SSO account matches the value stored in the employees Asset Manager account (value is stored in the amempldept table in field UserLogin for the particular user). The requirements for the JavaBean will depend on how the HTTP header information is passed from SSO. See section 5 below for examples. Once the JavaBean has been developed, it will need to be compiled via the Java SDK. To compile successfully, the classpath must include several references to the Asset Manager Web APIs. See section 5 for examples. Verify the JavaBean compiled successfully with no errors. Replace old piece of code with new piece of code (see below). 6 Restart Tomcat After all changes have been made, restart the Tomcat service. Old piece of code <bean id="acwc:preauthenticationfilter" class="com.hp.ov.ac.web.security.sso.ssopreauthenticationfilter"> <property name="authenticationmanager"> <ref bean="acwc:authenticationmanager"/> <property name="defaultrole"> <value>role_pre</value> <property name="keepdomain"> <value>false</value> To use a custom sso provider, put you bean ref here and uncomment the following. --> <property name="ssoprovider"> <ref bean="acwc:ntssoprovider"/> 4
--> </bean> register your custom sso provider here and uncomment following --> <bean id="acwc:ntssoprovider" class="com.hp.ov.ac.web.security.sso.ntssoprovider"/> --> New piece of code <bean id="acwc:preauthenticationfilter" class="com.hp.ov.ac.web.security.sso.ssopreauthenticationfilter"> <property name="authenticationmanager"> <ref bean="acwc:authenticationmanager"/> <property name="defaultrole"> <value>role_pre</value> <property name="keepdomain"> <value>false</value> To use a custom sso provider, put you bean ref here and uncomment the following. --> <property name="ssoprovider"> <ref bean="acwc:sampleheaderssoprovider"/> </bean> <bean id="acwc:sampleheaderssoprovider" class="com.hp.ov.ac.web.security.sso.sampleheaderssoprovider"/> JavaBean Example: JavaBean Requirements During the log on process, Asset Manager will call the newly created JavaBean and verify the user was authenticated by a SSO process. This is done via a call to a method named getusername. The JavaBean must implement this method returning the username of the authenticated user (from the HTTP header). If the HTTP header value does not exist (the user entered the logon page outside of the SSO process) the JavaBean should return NULL. For the authentication process to work, the username passed from the getusername method must match the username stored in the employee table (amempldept) of the Asset Manager database. Sample code package com.hp.ov.ac.web.security.sso; import javax.servlet.http.httpservletrequest; public class SampleHeaderSSOProvider implements ISsoProvider { public String getusername( HttpServletRequest request ) { // Suppose that the user login is store in http header under the key "My_User" return request.getheader( "My_User" ); } 5
} Compiling JavaBeans: To compile the example above, the class path to Tomcat and Asset Manager Libraries must be referenced. Example: JSDKHOME\bin\javac.exe classpath C:\TOMCAT_HOME\common\lib\servletapi.jar;C:\TOMCAT_HOME\webapps\AssetManager\WEB-INF\classes SampleHeaderSSOProvider.java After compiling, SampleHeaderSSOProvider.class must be placed in the C:\TOMCAT_HOME\common\lib\servlet- api.jar;c:\tomcat_home\webapps\assetmanager\web- INF\classes\com\hp\ov\ac\web\security\sso folder (where the lssoprovider.class file already took place). Synchronizing Windows and Web client authentications Asset Manager can be customized to request LDAP credentials to a user that logs in with the Windows client. If the identity tool used when implementing SSO for Asset Manager Web points on the same LDAP source, both AM and Windows authentications will then be synchronized. 6
For more information Please visit the HP Software support Web site at: http://www.hp.com/managementsoftware/support This web site provides contact information and details about the products, services, and support that HP Software offers. HP Software online support provides customer self-solve capabilities. It provides a fast and efficient way to access interactive technical support tools needed to manage your business. As a valuable support customer, you can benefit by being able to: Search for knowledge documents of interest Submit and track progress on support cases Submit enhancement requests online Download software patches Manage a support contract Look up HP support contacts Review information about available services Enter discussions with other software customers Research and register for software training Note: Most of the support areas require that you register as an HP Passport user and sign in. Many also require an active support contract. To find more information about support access levels, go to the following URL: http://www.hp.com/managementsoftware/access_level To register for an HP Passport ID, go to the following URL: http://www.managementsoftware.hp.com/passport-registration.html Limited responsibility clause Asset Manager is integrated with several third-party applications. Examples: Database engines, Web servers, single sign-on software, load-balancing and clustering hardware and software solutions, reporting software such as Crystal Reports, etc. Support for these applications is limited to their interface with Asset Manager. Support does not cover installation problems, setup and customization problems nor malfunctioning of the third-party application. White papers contain examples of implementations that may work in your environment with or without customization. There is no guarantee that this will be the case. It could also be that some of the solutions covered by white papers appear as standard features in a future release of the software. When this is the case, there is no guarantee that you will be able to upgrade the solution you implemented based on the white paper to the equivalent standard feature. 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Itanium is a trademark or registered trademark of Intel Corporation in the U.S. and other countries and is used under license. Implementing SSO for AssetManager Web 5.x.doc 7