Questions Tagged With ssohttps://answers.axonivy.com/tags/sso/?type=rssquestions tagged <span class="tag">sso</span>enTue, 02 Jul 2019 02:46:52 -0400Logging last login of a userhttps://answers.axonivy.com/questions/3871/logging-last-login-of-a-user<p>In my application, users can log-in in various ways...</p> <ul> <li>SSO: WAF via Tomcat valve </li> <li>SSO: IIS integration</li> <li>directly on the portal's login page (only for test/development systems)</li> </ul> <p>Now I have the challenge to create a mechanism that can log last successful login of a user and write this information to my application DB or to the user in Ivy system DB.</p> <p>Which options do I have to do this?</p>timoruppTue, 02 Jul 2019 02:46:52 -0400https://answers.axonivy.com/questions/3871/logging-last-login-of-a-userloginsessionloggingssoCalling NTLM protected REST service with SSOhttps://answers.axonivy.com/questions/3477/calling-ntlm-protected-rest-service-with-sso<p>In Ivy 7.1, is it possible to call a NTLM protected web service using the logged in user (therefore not configuring user/password in the REST client)?</p>petersMon, 08 Oct 2018 05:45:55 -0400https://answers.axonivy.com/questions/3477/calling-ntlm-protected-rest-service-with-ssossontlmauthenticationrestLogin Process for SSOhttps://answers.axonivy.com/questions/1867/login-process-for-sso<p>Hi All,</p> <p>Is it possible to send system events in the login process to load user specific settings in Applications using SSO? I added a ScriptStep in JsfWorkflowUi &gt; HTML Dialogs &gt; Login Logic. This works fine but only for non-SSO Applications.</p> <p>Best Regards, Florian</p>Florian HeinrichTue, 05 Jul 2016 13:25:08 -0400https://answers.axonivy.com/questions/1867/login-process-for-ssossosystemeventIssue when apply SSO with IIS 8 and Ivy Serverhttps://answers.axonivy.com/questions/1801/issue-when-apply-sso-with-iis-8-and-ivy-server<p>Hi all, Our project requires SSO as an authentication method. I have integrated it with IIS 8 and Ivy Server. But I have 1 issues, when the user accesses our application and his/her account is not in the LDAP directory which I have configured on Ivy Admin, the exception occurs. It seems like the authentication process occurs at IIS layer, then the authorization process occurs later, so the user able to access the "index.jsp" page, but not other page(which require user must be in the LDAP directory) . So my questions are :</p> <ol> <li>How does IIS authenticate user? Which LDAP directory it uses to authenticate user?</li> <li>If those things above is true, (authentication first authorization later) how can I handle when account (which does not exist in the LDAP directory of our app ) access my app? For example, redirect to custom error page.</li> </ol> <p>This is the stack traces when the exception occurs: </p> <pre><code>ch.ivyteam.ivy.persistence.PersistencyException: javax.naming.directory.InvalidSearchFilterException: Missing 'equals'; remaining name 'CN=hcmc-4axonivy,OU=AAVN_HCM,DC=aavn,DC=local' at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem.executeWithCachedContext(JndiSecuritySystem.java:641) at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem.synchronizeUser(JndiSecuritySystem.java:1053) at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem.findUser(JndiSecuritySystem.java:519) at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem.findUser(JndiSecuritySystem.java:1) at ch.ivyteam.ivy.security.internal.SecurityContext$7.execute(SecurityContext.java:439) at ch.ivyteam.ivy.security.internal.SecurityContext$7.execute(SecurityContext.java:1) at ch.ivyteam.ivy.persistence.base.AbstractPersistencyService.execute(AbstractPersistencyService.java:169) at ch.ivyteam.ivy.persistence.base.ClassPersistencyService.execute(ClassPersistencyService.java:648) at ch.ivyteam.ivy.persistence.client.PersistentClientObjectChildren.execute(PersistentClientObjectChildren.java:543) at ch.ivyteam.ivy.security.internal.SecurityContext.execute(SecurityContext.java:1331) at ch.ivyteam.ivy.security.internal.SecurityContext.findUser_aroundBody14(SecurityContext.java:433) at ch.ivyteam.ivy.security.internal.SecurityContext.findUser_aroundBody15$advice(SecurityContext.java:34) at ch.ivyteam.ivy.security.internal.SecurityContext.findUser(SecurityContext.java:1) at ch.ivyteam.ivy.security.internal.WebContainerApprovedUserAuthenticator.findUser(WebContainerApprovedUserAuthenticator.java:83) at ch.ivyteam.ivy.security.internal.WebContainerApprovedUserAuthenticator.authenticate(WebContainerApprovedUserAuthenticator.java:46) at ch.ivyteam.ivy.security.internal.Session.authenticateWebContainerApprovedUser(Session.java:1193) at ch.ivyteam.ivy.webserver.internal.IvySession.authenticateSessionUser(IvySession.java:228) at ch.ivyteam.ivy.webserver.internal.IvySession.getSecuritySession(IvySession.java:142) at ch.ivyteam.ivy.webserver.internal.IvySession.getSession(IvySession.java:127) at ch.ivyteam.ivy.webserver.internal.AbstractServlet.setSession(AbstractServlet.java:489) at ch.ivyteam.ivy.webserver.internal.process.IvyProcessServlet.doRespondAsSystem(IvyProcessServlet.java:51) at ch.ivyteam.ivy.webserver.internal.AbstractServlet.prepareRespondAsSystem(AbstractServlet.java:231) at ch.ivyteam.ivy.webserver.internal.AbstractServlet.access$3(AbstractServlet.java:213) at ch.ivyteam.ivy.webserver.internal.AbstractServlet$2.call(AbstractServlet.java:191) at ch.ivyteam.ivy.security.internal.SecurityManager.executeAsSystem(SecurityManager.java:1467) at ch.ivyteam.ivy.webserver.internal.AbstractServlet.doService(AbstractServlet.java:185) at ch.ivyteam.ivy.webserver.internal.AbstractServlet.doGet(AbstractServlet.java:169) at javax.servlet.http.HttpServlet.service(HttpServlet.java:624) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.GeneratedMethodAccessor123.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at ch.ivyteam.ivy.webserver.internal.exception.IvyExceptionFilter.doFilter(IvyExceptionFilter.java:49) at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at ch.ivyteam.ivy.webserver.internal.IvyFilter.doFilterInternal(IvyFilter.java:267) at ch.ivyteam.ivy.webserver.internal.IvyFilter.doFilter(IvyFilter.java:172) at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at ch.ivyteam.ivy.webserver.internal.IvyExecuteAsSystemFilter$1.call(IvyExecuteAsSystemFilter.java:45) at ch.ivyteam.ivy.webserver.internal.IvyExecuteAsSystemFilter$1.call(IvyExecuteAsSystemFilter.java:1) at ch.ivyteam.ivy.security.internal.SecurityManager.executeAsSystem(SecurityManager.java:1467) at ch.ivyteam.ivy.webserver.internal.IvyExecuteAsSystemFilter.doFilter(IvyExecuteAsSystemFilter.java:39) at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at ch.ivyteam.ivy.webserver.internal.duplicate.IvyDuplicateRequestFilter.doFilter(IvyDuplicateRequestFilter.java:74) at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89) at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119) at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133) at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130) at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203) at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130) at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at ch.ivyteam.ivy.webserver.internal.PerformanceLogValve.invoke(PerformanceLogValve.java:55) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: javax.naming.directory.InvalidSearchFilterException: Missing 'equals'; remaining name 'CN=hcmc-4axonivy,OU=AAVN_HCM,DC=aavn,DC=local' at com.sun.jndi.ldap.Filter.encodeSimpleFilter(Filter.java:330) at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:146) at com.sun.jndi.ldap.Filter.encodeFilterList(Filter.java:741) at com.sun.jndi.ldap.Filter.encodeComplexFilter(Filter.java:657) at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:104) at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:548) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:276) at ch.ivyteam.ivy.security.internal.jndi.dircontext.LazyBindingDirContextAccess.search(LazyBindingDirContextAccess.java:47) at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem$3$1.execute(JndiSecuritySystem.java:1063) at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem$3$1.execute(JndiSecuritySystem.java:1) at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem.execute(JndiSecuritySystem.java:613) at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem$3.call(JndiSecuritySystem.java:1058) at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem$3.call(JndiSecuritySystem.java:1) at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem.executeWithCachedContext(JndiSecuritySystem.java:637) </code></pre>qtdan93Mon, 13 Jun 2016 13:03:28 -0400https://answers.axonivy.com/questions/1801/issue-when-apply-sso-with-iis-8-and-ivy-serverssoSSO on Apache: not logged in to Ivy but in tomcat?https://answers.axonivy.com/questions/1319/sso-on-apache-not-logged-in-to-ivy-but-in-tomcat<p>Hello Ivy-Comunity!</p> <p>When logged in to Apache (and to Tomcat) the User is not taken by Ivy.</p> <p>In a testing environment I have the following constellation:</p> <ul> <li>Linux environment with Ivy 5.1.3 attached to AD</li> <li>Apache Server with Kerberos Login attached to the same AD</li> <li>Ajp-Connector to Ivy-Tomcat</li> <li>A jsp testing Page in the Ivy-Environment (applicationHome on the Application-wf-Page)</li> </ul> <p>So this Page shows me by asking request.getRemoteUser() that this User is logged in: Hans.Tester@TESTENV.LOCAL and a HTTP Session request.getSession().getId(). But getting the Ivy-User by ivySession.getSessionUser() returns null. Except when Logged in manualy the result Hans.Tester for the Ivy-Session.</p> <p>So why is that? Or how can I make shure, that the Session is taken correctly by ivy?</p> <p>First guess is, that the username comes with the Environment (TESTENV.LOCAL). If it is the Issue, how to shut that down?</p> <p>With further investigation I found out more:</p> <ul> <li>In a Windows-Environment under IIS the UserName of the Tomcat-Session is in this format: TESTENV\Alexis.Suter</li> <li>The Ivy-Session is not saved into Tomcat-request. (When only logging in to Ivy)</li> </ul> <p>Thanks in advance!</p>AlexisWed, 13 May 2015 09:04:14 -0400https://answers.axonivy.com/questions/1319/sso-on-apache-not-logged-in-to-ivy-but-in-tomcatssosessionauthenticationSingle Sign On with IE11 and IIS does not work?https://answers.axonivy.com/questions/1042/single-sign-on-with-ie11-and-iis-does-not-work<p>Since I have upgraded to IE 11 single sign on with IIS and Axon.ivy does no longer work. I have to login on Axon.ivy manually. </p> <p>How can I fix that?</p>Reto WeissThu, 20 Nov 2014 11:41:37 -0500https://answers.axonivy.com/questions/1042/single-sign-on-with-ie11-and-iis-does-not-workssoieiisHow to authenticate a user that is provided by a Single Sign On (SSO) proxy.https://answers.axonivy.com/questions/506/how-to-authenticate-a-user-that-is-provided-by-a-single-sign-on-sso-proxy<p>We've got a SSO-Proxy for most of our web applications. I'd like to make use of the SSO-Proxy instead of requiring the user to login with his Windows credentials.</p> <p>I've figured out how I can read the HTTP header containing the user-id. Now I'd like to authenticate as this user, but all provided methods require a password. Is there anyway I can authenticate a user only by his user-id?</p> <p>This is what I've got to get the user-id:</p> <pre><code>package ch.company.ivy.security; import java.util.Map; import javax.faces.context.FacesContext; public class Auth { Map&lt;String, String&gt; headers; String userId; public Auth() { headers = FacesContext.getCurrentInstance().getExternalContext().getRequestHeaderMap(); userId = headers.get("UID").toString(); } public String getUserId() { return this.userId; } } </code></pre>ahatiusSat, 25 Jan 2014 15:28:14 -0500https://answers.axonivy.com/questions/506/how-to-authenticate-a-user-that-is-provided-by-a-single-sign-on-sso-proxyssoauthenticationuser