Webtop 6.7 SSO with HTTP Header through Websphere

Wilhelm_PERAUD
edited September 30, 2014 in Documentum #1

Hi,

I'd like to enable SSO thanks to a HTTP Header through Websphere

Our actual authentication follows this order :

- the user authenticate to a LDAP through a reverse proxy

- the user is then redirected to Websphere, which validate the user

- then, the user access webtop

As our system is evolving, we would like to :

#1 - skip the validation in Websphere thank to Trust Association Interceptor

#2 - replace the reverse proxy by another "box" (already existing) which fills the HTTP Request by a HTTP Header that contains user info (especially its ID)

#1 We have successfully installed a Trust Association Interceptor in Websphere.

We installed the Interceptor and changed the security so skip the validation.

Before, the validation used a LDAP that only contains users' IDs.

In webtop, we changed the authentication scheme to make the UserPrincipalAuthenticationScheme the first one.

We also set up a trusted user in the TrustedAuthenticatorCredentials.properties, added the webapp to the app.xml and activated SSO in the web.xml.

Now, when a user authenticates, he bypasses Websphere (so #1 works) but when he arrives in webtop, the authentication Schemes used is not the first one, but the second.

So, it seems that the user can't log thanks to the UserPrincipalAuthenticationScheme. I coulnd't find any log.

As we are going to use a HTTP header that contains the user ID, should we use the UserPrincipalAuthenticationScheme ? or is there any way that best fits our needs ?

Dis we miss something ?

Is there a way to trace precisely the authentication ?

[Edit September 30th]

There is a document about Principal Authentication with Websphere  : https://www.emc.com/collateral/software/white-papers/h8213-j2ee-webtop-wp.pdf

I'm going to make some tests, but not with the user.prop and the group.prop files.

We have to many users for that solution.

Thank you.

Ce message a été modifié par : Wilhelm_PERAUD

Ce message a été modifié par : Wilhelm_PERAUD