Implementing SSO for DFS services

Hi,

We have a requirement to implement single sign on for many of our enterprise applications with Documentum. These applications use DFS to execute DCTM related activities.

In the current scenario, these client applications are expected to provide the user id and password to create a context in DFS. We want to implement it in such a way that the request should only contain the user id, the token/password should be automatically retrieved from RSA cleartrust server to proceed with the authentication.

Is this feature already supported out of the box or would it involve writing a custom service to retrieve the token from the RSA server.

I have checked the SSOIdentity object but the api expects the token to already be available while creating the object.

Regards,

Yogesh

Find more posts tagged with

Comments

aflowers001

Do you use RSA cleartrust to authenticate your application users? If so you should be getting the token back from the logon request at the application and that can be saved and reused in th DFS calls.

kanchanyogi555

I apologize for the delayed response.

Yes we do use RSA cleartrust for authenticating the application user. When my application is first invoked the request is redirected to Cleartrust server and it writes a cookie for my application. The cookie name is CTSESSION.The text in the cookie is not being recognized as valid token by the DFS service. Are there any configurations that I need to check on the DFS server? Below is the code snippet that I use:HttpCookie cookies = Request.Cookies["CTSESSION"]; service.setSSOContext(txtUserName.Text, cookies.Value,ConfigurationManager.AppSettings.Get("RepositoryName"),ConfigurationManager.AppSettings.Get("DFSServer"));public void setSSOContext(string userName, string password, string repository, string address)
        {
            if (userName == null || password == null || repository == null)
            {
                    throw new Exception("None of the arguments can be null");
            }
            this.repository = repository;
            this.userName = userName;
            this.password = password;            try
            {                this.address = address;
                Console.WriteLine(String.Format("Using DFS Server: {0}", address));
                ContextFactory contextFactory = ContextFactory.Instance;
                serviceContext = contextFactory.NewContext();
                SsoIdentity ssoIdentity = new SsoIdentity();
                ssoIdentity.UserName = userName;
                ssoIdentity.Password = password;
                ssoIdentity.SsoType = "dm_rsa";
                Console.WriteLine(String.Format("Docbase: {0}, Username: {1},", repository, userName));
                serviceFactory = ServiceFactory.Instance;

                serviceContext.AddIdentity(ssoIdentity);
            }
            catch (Exception ex)
            {
                Console.WriteLine("Could not find DFS server location in the config file: " + ex.StackTrace);
            }
        }I checked how its being done in Webtop and looked at the following class: com.documentum.web.formext.session.RSASSOAuthenticationSchemeprotected String generateSSOPassword(String ticket, String docbaseName)    {        StringBuffer bufTicket = new StringBuffer(512);        bufTicket.append("DM_PLUGIN");        bufTicket.append("=");        bufTicket.append(m_eCSPlugIn);        bufTicket.append("/");        bufTicket.append(ticket);        return bufTicket.toString();

}

I tried replicating the same approach to generate the token but it did not work. Am I doing something wrong here?

aflowers001

Hi,

take a look in the DFS deployment guide as this has a chapter about how to configure sso.properties on the server side such that it understands the token being passed in, i.e. you tell it what HTTP header value has the token.

To create the SSO identity the reuses the HTTP headers use the relevant SSO indetity constructor, i.e.

SsoIdentity(HttpServletRequest request)

All of these are covered throughout the DFS manuals (but I only have access to the 6.7 manuals so earlier versions might not have as much)

For this I assume that you authenticate into a web site, via RSA, and then wish to chain calls to DFS.