SSO on Apache: not logged in to Ivy but in tomcat?

0

Hello Ivy-Comunity!

When logged in to Apache (and to Tomcat) the User is not taken by Ivy.

In a testing environment I have the following constellation:

  • Linux environment with Ivy 5.1.3 attached to AD
  • Apache Server with Kerberos Login attached to the same AD
  • Ajp-Connector to Ivy-Tomcat
  • A jsp testing Page in the Ivy-Environment (applicationHome on the Application-wf-Page)

So this Page shows me by asking request.getRemoteUser() that this User is logged in: Hans.Tester@TESTENV.LOCAL and a HTTP Session request.getSession().getId(). But getting the Ivy-User by ivySession.getSessionUser() returns null. Except when Logged in manualy the result Hans.Tester for the Ivy-Session.

So why is that? Or how can I make shure, that the Session is taken correctly by ivy?

First guess is, that the username comes with the Environment (TESTENV.LOCAL). If it is the Issue, how to shut that down?

With further investigation I found out more:

  • In a Windows-Environment under IIS the UserName of the Tomcat-Session is in this format: TESTENV\Alexis.Suter
  • The Ivy-Session is not saved into Tomcat-request. (When only logging in to Ivy)

Thanks in advance!

asked 13.05.2015 at 09:04

Alexis's gravatar image

Alexis
(suspended)
accept rate: 66%

edited 15.05.2015 at 14:15

2 Answers:
active answersoldestnewestmost voted
1

After a lot of research I found this solution.

In httpd.conf I added this code to the Location-Tag (< Location /ivy5 >) it will simply chopp off the @REALM from the User sent to Ivy. It is so far the simplest and possibly the only way to modify the User before it is given to Tomcat.

    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} ^(.+)@.*$
    RewriteRule ^ - [E=JK_REMOTE_USER:%1]

Most informations I got from: httpd.apache.org/docs/2.2/mod/mod_rewrite.html

link

answered 20.05.2015 at 16:19

Alexis's gravatar image

Alexis
(suspended)
accept rate: 66%

1

Hi Alexis

The problem is that Axon.ivy is not prepared that the user name is in the format user@domain. It can handle SSO if the user name is in format user or like in IIS domain\user.

Try to change Apache configuration to provide the user name in a support format.

If this is not possible and it is important for your project sent a feature request to our support so that we can also support the format provided by Apache.

link

answered 18.05.2015 at 11:06

Reto%20Weiss's gravatar image

Reto Weiss ♦♦
4.9k202857
accept rate: 74%

Hello Reto

Thanks a lot for this input! It brought me on the right path to focus on Apache-Configuration.

(20.05.2015 at 16:21) Alexis Alexis's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×16
×14
×7

Asked: 13.05.2015 at 09:04

Seen: 2,935 times

Last updated: 20.05.2015 at 16:21

Related questions

Calling NTLM protected REST service with SSO

Logging last login of a user

How to authenticate a user that is provided by a Single Sign On (SSO) proxy.

Can I reduce the session-views that are held in the engine memory?

How to connect To SystemDB using Windows-Authentification

How to extend a user session time programmatically?

REST token authentication

Language of system session

Login Process for SSO

REST API and JSESSIONID