Single Sign On (SSO) vs. Automatic Authentication Script

We have been experiencing difficulties with our Single Sign On setup for a long time now. We are using the Metastorm web client with Internet Explorer, but we don't use the client portal to give our users their lists of BPM folders. Instead, they access their folders via external links, for example, from an email. To the best of my knowledge, using external BPM urls is an acceptable and supported way of accessing metastorm folders; it's published in the BPM Web Authors Guide.

Our approach works, for the most part, but periodically (and more frequently now, for some reason, with IE 8), our users will be presented with a windows logon box (see attached image). It mostly appears at random, but I've noticed that if they already have a number of other BPM folder windows open (successfully opened with SSO and all that), the windows logon box appears when they try to open the "next" folder (again, it happens at random, so it could happen after the second, third, forth, etc. successfully-loaded folder window).

Our users are particularly intolerant of extra clicks and extra typing; they want the authentication to be seemlessly integrated (and I don't blame them). So, while it works to have them type their credentials into the random windows logon popup, I don't consider that to be a solution.

Has anyone come across this before? I'd greatly appreciate any help with this issue, as it's fast becoming the main user complaint with our BPM systems.

Find more posts tagged with

BPM

Comments

Apperson_Rory

Oops, I meant to continue my question (the 'Automatic Authentication Script' portion of the subject line):

I have considered modifying the default user authentication (non-SSO) script so it obtains the currently-logged-on windows user (via available windows script host calls -- not difficult to do), and then automatiicaly fills in the form with username (we don't use passwords) and submits the form. The users would see a brief flash as the BPM web logon form is submitted, but it would, in my mind, be a wonderful alternative to the problems we've had with SSO (see original post). I know there are a lot of purists who would have a problem with this approach, but in our environment, we have relatively few users and we don't have any BPM procedures that must be completely secured (which is why we don't have BPM user passwords).

So my question is this: how can I modify the logon script so it auto-submits? I've tried calling the eWork submit method (which I took from the submit button) on form load event, but it doesn't work.

Thanks again.

Scott_Leclerc

I would recommend that you correct your SSO setup instead of relying on some other method to accomplish the same thing that SSO provides for you. What version of MBPM are you using that is giving you the problem? Have you contacted the Metastorm Help Desk to review your SSO configuration?