How to authenticate a user that is provided by a Single Sign On (SSO) proxy.

0

We've got a SSO-Proxy for most of our web applications. I'd like to make use of the SSO-Proxy instead of requiring the user to login with his Windows credentials.

I've figured out how I can read the HTTP header containing the user-id. Now I'd like to authenticate as this user, but all provided methods require a password. Is there anyway I can authenticate a user only by his user-id?

This is what I've got to get the user-id:

package ch.company.ivy.security;

import java.util.Map;

import javax.faces.context.FacesContext;

public class Auth {
    Map<String, String> headers;
    String userId;

    public Auth() {
        headers = FacesContext.getCurrentInstance().getExternalContext().getRequestHeaderMap();
        userId = headers.get("UID").toString();
    }

    public String getUserId() {
        return this.userId;
    }
}

asked 25.01.2014 at 15:28

ahatius's gravatar image

ahatius
(suspended)
accept rate: 0%

edited 27.01.2014 at 11:42

Reto%20Weiss's gravatar image

Reto Weiss ♦♦
4.9k202857
One Answer:
active answersoldestnewestmost voted
1

Xpert.ivy uses internally an embedded Tomcat web server. Maybe your SSO-Proxy delivers support for Tomcat (e.g. a Tomcat valve or realm or filter) so that Tomcat can use the user information from your SSO Proxy and provides them to the deployed web applications. Xpert.ivy is such a deployed web application and will read the user information provided by Tomcat. If there is an Xpert.ivy user that has the same name as the one provided by Tomcat it will automatically authenticated the user without any further configuration or logic necessary.

Overview how this works:

Client -> SSO-Proxy -> Tomcat -> SSO-Proxy-Valve -> Xpert.ivy

SSO-Proxy: Delivers user name in UID http parameter

SSO-Proxy-Value: Reads UID parameter and sets user principal on the tomcat request

Xpert.ivy: Reads the user principal from the tomcat request and lookup a Xpert.ivy user with the same name. If it founds one it will be authenticate on the session automatically.

This works similar to SSO with IIS described in the Server Guide. The main difference is that you have to install and configure the SSO-Proxy specific Tomcat value, realm or filter. The corresponding tomcat configuration files are located at:

  • /webapps/ivy/WEB-INF/web.xml
  • /webapps/ivy/META-INF/context.xml

However, there is also an API to do something similar in your process: 

import ch.ivyteam.ivy.security.IUser;

String userName = ivy.request.getParameter("UID").toString();
IUser user = ivy.session.getSecurityContext().findUser(userName);
ivy.session.authenticateSessionUser(user, "SSO-Proxy");
link

answered 27.01.2014 at 11:33

Reto%20Weiss's gravatar image

Reto Weiss ♦♦
4.9k202857
accept rate: 74%

edited 27.01.2014 at 11:42

I'll check this with our SSO guys, there seems to be a tomcat-sso integration :)

(28.01.2014 at 10:10) ahatius ahatius's gravatar image

Hi Reto, After I retrieved the IUser by using:

IUser user = ivy.session.getSecurityContext().findUser(userName);

then set some basic information for this user likes

user.setFullName("MyFullname");

It seem override the information of User in database also. I wonder if there is any API to working with IUser without affect to the database?

(25.04.2017 at 07:06) thienqh thienqh's gravatar image

No, there is no such API. IUser is always backed in the database. What is the use case? Setting the fullname from a SSO Proxy seems to be weird?

(26.04.2017 at 02:44) Reto Weiss ♦♦ Reto%20Weiss's gravatar image

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×26
×16
×7

Asked: 25.01.2014 at 15:28

Seen: 5,621 times

Last updated: 26.04.2017 at 06:18

Related questions

Is it possible to authentication an application user like a system administrator?

Calling NTLM protected REST service with SSO

SSO on Apache: not logged in to Ivy but in tomcat?

How to set information for logon IUser without permanently store to system?

REST token authentication

Manage users of several applications by a single admin user

can I check what are Users online or offline in xpert ivy use IUSER ?

Assign user Tasks to another (user will be deleted)

REST API and JSESSIONID

How to reassign tasks of users that are absent