Single Sign-On Integration with Windows January 2010 Enterprise Knowledge Platform Single Sign-On Integration with Windows Single Sign-On Integration with Windows January 2010 Document Information Document ID: EN136 Document title: EKP Single Sign-On Integration with Windows Version: 1.3 Document date: 19 January 2010 This document may be revised from time to time. Please check NetDimensions Support site at www.netdimensions.com/support for updates to this and other documents or send an e-mail to [email protected] to request the most recent version. Please report any errors or feedback with this document by sending an e-mail to [email protected]. Copyright Information Copyright 2000-2009 by NetDimensions Ltd. All Rights Reserved. Information in this document is subject to change without notice. The software described herein is furnished under a license agreement, and it may be copied only in accordance with the terms of that agreement. No part of this publication may be reproduced, transmitted, or translated in any form or by any means without the prior written permission of NetDimensions Ltd. All company and product names used herein may be trademarks or registered trademarks of their respective companies unless stated otherwise. How to Contact NetDimensions Support +852 2122 4588 1 866 206 6698 US toll-free number +852 2122 4588 [email protected] www.netdimensions.com/support General Enquiries +852 2122 4500 +852 2122 4588 [email protected] www.netdimensions.com Single Sign-On Integration with Windows January 2010 Table of Contents Description .................................................................................................................................1 SSO Integration...........................................................................................................................2 Integrated Windows Authentication .............................................................................................. 2 Limitations ................................................................................................................................ 2 Seamless integration ................................................................................................................ 2 SSO Login Process ........................................................................................................................... 2 Login Process ............................................................................................................................ 2 Sample Configuration .................................................................................................................4 Configure the Microsoft IIS Web Server ......................................................................................... 4 Configure EKP to Use Windows SSO ............................................................................................... 5 Enabling ASP.NET v2.0 .................................................................................................................... 6 ASP.NET Configuration ................................................................................................................... 6 Protecting Web.config .................................................................................................................... 7 EKP Configuration ........................................................................................................................... 8 Troubleshooting .........................................................................................................................9 Internet Explorer ............................................................................................................................ 9 Firefox ............................................................................................................................................. 9 Single Sign-On Integration with Windows January 2010 Description About This Guide Single Sign-On (SSO) service enables users to enter user ID and password information once, and to subsequently use other applications without being required to enter this information again. The Enterprise Knowledge Platform (EKP) is able to participate in SSO environments, thus simplifying application use for the users, and minimizing the burden placed upon administrators. SSO functionality is a desirable capability in most corporate environments as it eliminates the need for the user to remember multiple user Ids and passwords for different application systems, and makes it easier for administrators to manage since a central repository maintains basic user ID data. SSO may be implemented using a variety of techniques and may be based upon authentication software services from a variety of suppliers. The interfaces to many of these systems are proprietary. Hence, the solution is unique to the specific SSO vendor environment. The focus in this paper is a description of the configuration requirements for Microsoft Integrated Windows Authentication. The set-up described in the document is applicable to EKP5.7 and later versions. If You Need Help If you cannot resolve a configuration problem using this guide or the online help, or if you should have any queries related to the technology employed within EKP, your first line of contact should be as described in your Technical Support Contract. For other queries, or if you are not sure whom to contact, NetDimensions Ltd. may be contacted at [email protected]. Please also refer to the support section of the NetDimensions web site at www.netdimensions.com for the latest information regarding various services. 1 Single Sign-On Integration with Windows January 2010 SSO Integration Integrated Windows Authentication EKP provides basic SSO capability by leveraging the integrated Windows authentication provided by Microsoft Internet Information Server (IIS). Thus, it imposes some limitations in the SSO implementation. Limitations 1. Integrated Windows authentication is only supported in Microsoft IIS. 2. Only Microsoft Internet Explorer 2.0 or later supports this authentication method. 3. Integrated Windows authentication does not work over HTTP proxy connections and firewalls. 4. This solution is only suitable for intranet and IIS web server environments where the client machines are in the same Windows domain. Seamless integration SSO is tightly integrated with Windows servers and it doesn’t require any extra software for implementation. This solution is a good fit for Windows centric organizations. SSO Login Process To enable SSO, there is a special login page “ekpsso.aspx” used for this purpose. This login page is not visible to the end-user but the administrator should create an entry link to EKP using this page or set this page as the default front page of the site. Login Process 1. From some internal web site, link to the EKP Windows SSO start page (e.g. http://<hostname>/ekp/ekpsso.aspx, assuming the default site context is ekp) 2. The code within ekpsso.aspx is able to determine the Windows user ID of the current user. By making use of settings in the configuration file Web.config, it creates an encrypted 2 Single Sign-On Integration with Windows January 2010 authentication token which is passed to EKP. The same encryption key resides in Web.config and in EKP’s ekp.properties 3. If EKP can decrypt the information sent from ekpsso.aspx, it can safely assume that the user ID is genuine and login the user. 3 Single Sign-On Integration with Windows January 2010 Sample Configuration Configure the Microsoft IIS Web Server 1. Add virtual directory ekp to the web server. Important Note The name must match the application context name. The default ekp will be used throughout this example. Run Computer Management by clicking Start on the Windows desktop, and then selecting Control Panel > Administrative Tools > Computer Management. Select Services and Application and expand Internet Information Services. Select Default Web Site and do a right mouse click and then select New > Virtual Directory. Input ekp as the Virtual Directory Alias. Choose the EKP document root (Default: <tomcat_home>\webapps\ekp) as the Web Site Content Directory. Click Next to accept default for Access Permissions. 2. Set the directory security of ekp. Warning If the Integrated Windows authentication is not set, it is equivalent to disabled security checking. Select ekp virtual directory and set it to use Integrated Windows authentication by doing a right mouse click and then select properties. Choose the Directory Security tab folder and click Edit. Uncheck anonymous access and check the Integrated Windows authentication. Note Make sure the Integrated Windows authentication is checked. 4 Single Sign-On Integration with Windows January 2010 Figure 1: Authentication Methods Configure EKP to Use Windows SSO 1. To enable SSO, change the logon page from (default) http://<hostname>/ekp/index.html to http://<hostname>/ekp/ekpsso.asp Note If the application context name is not the default (ekp), the redirect URL in ekpsso.asp has to be changed accordingly. 5 Single Sign-On Integration with Windows January 2010 Enabling ASP.NET v2.0 Version 2.0 of the .NET framework needs to be installed. Even if it has already been installed previously, it should be done again after the installation of IIS to prevent possible errors. 1. Open up the Command Prompt and enter the following commands: cd %WINDIR%\Microsoft.Net\Framework\v2.0.50727 aspnet_regiis –i