ManyDesigns: Single sign-on

Documentation > 3.1.x > Reference manual >

Single sign-on

Contents

Purpose

Single sign-on allows you to delegate authentication and authorization to a common infrastructure specifically designed for this purpose, such as an LDAP server.

In this way, you can centralize and avoid duplication of security information and functionality.

Generally, when you start a new application, you develop it using local authentication. This means using user management and permissions as described in previous chapters. Then,

A note on the terminology: in single sign-on, "role" is a synonym of "user group".

Configuring Portofino

Step 1: Configure the role (user group) for all users
Single sign-on administrators often configure a role for all the users who can access a certain application. Find out what that role is. For example let's suppose your application is called myapp and that the role is myapp-users.

If your single sign-on does not a role like te one described, you may use the role for the generic user (e.g., all-users).

Start ManyDesigns Portofino without single sign-on. Log in at the upstairs level. Click on the Meta user groups tab and click on the object called Users. Edit its name to match the aforementioned role (myapp in the example).

Step 2: Configure the deployment descriptor
Edit the WEB-INF/web.xml file.
Locate the following xml elements:

security-constraint
login-config
security-role

and make sure they are uncommented.

Locate the following elements:

security-constraint -> auth-constraint -> role-name
security-role -> role-name

and change their value to match the role identified in step 1 (myapp in the example).

Step 3: Configure the properties file
Edit or add the following line in portofino-custom.properties:

security.type=container

This instructs to start using the container-manged security. See the servlet API documentation for the technical details.

Configuring the application server

Here is a list of external documentation that can help you configure your specific application server.

Apache Tomcat 6.0:

Realm configuration how-to
The valve component (section "Single sign-on valve")

Glassfish:

Security FAQ

Oracle OC4J and OracleAS:

Understanding OC4J security

JBoss:

Security on JBoss

Alignment between single sign-on and the local database

Users

Users are automatically aligned, on demand, from the single sign-on to the local database.

Any time a user successfully logs in through single sign-on, Portofino checks if a corresponding object exists in the User class. If not, it creates one, setting the login field to the login/username provided by the single sign-on.

If a user is on the local database but not on the single sign-on, the user is not allowed to log in.

Roles/user groups

Roles are not automatically aligned, i.e., no roles are created on the local database based on roles provided by the single sign-on.

Make sure the local user groups (as meta user groups upstairs, or user groups downstairs) are properly configured.

There are three situations:

role on the single sign-on only: the role is ignored;
role both on the single sign-on and the local database (the names must match): the role is used;
roles on the local database only: the role is used.

You can have a mix of situation 2 and 3. Situation 2 is useful for coarser-grained roles, situation 3 for finer-grained ones.

Associations of users to user groups

Associations of users to user group are not automatically aligned, i.e., no associations (in the User_UserGrp class) are created on the local database based on mappings provided by the single sign-on.

When the permission systems need to verify whether a user is assigned to a role, Portofino performs these operations:

first, it verifies whether the association is present on the single sign-on;
if not, it verifies whether the association is present on the local database.

This technique allows you to manage the associations with maximum flexibility: on the single sign-on, locally, or with a mix of the two.

Example configurations

LDAP and Microsoft Active Directory for Tomcat

In this example we configure Portofino with Apache Tomcat to use the LDAP authentication (or Microsoft Active Directory).
To configure an LDAP authentication you have to define a realm in Tomcat. You can access with the same method also a Microsoft Active Directory Domain.
To create a Realm modify your conf/server.xml configuration file as in the following example:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"

               connectionURL="ldap://servername:389"
               alternateURL="ldap://servername:389"
               userRoleName="memberOf"
               userBase="cn=Users,dc=domainname"
               userPattern="cn={0},cn=Users,dc=domainname"
               roleBase="cn=Users,dc=domainname"
               roleName="cn"
               roleSearch="(memberOf={0})"
               roleSubtree="true"
               userSubtree="true"
               connectionName="cn=username,cn=Users,dc=domainname"
               connectionPassword="password"

       />

Username and password must be the ones of a user that can explore the LDAP hierarchy.

Finally you have to modify your web.xml adding the following lines:

...
<auth-constraint>
                <description>
                    Role (i.e. user group) containing all the users who can access the application.
                    Make sure this role is listend in the security-role section below.
                </description>
                <role-name>CN=Users,CN=

Builtin,DC=domainname</role-name>
</auth-constraint>
</security-constraint>
        <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
                <form-login-page>/Login</form-login-page>
                <form-error-page>/LoginErrorPage</form-error-page>
            </form-login-config>
        </login-config>
        <security-role>
            <description>
                Role (i.e. user group) containing all the users who can access the application
            </description>
            <role-name>CN=Users,CN=Builtin,DC=domainname</role-name>
        </security-role>
...
</security-constraint>
...

Previous: Listeners

Next: Versioning