Help with Basic Overiview of SSO

Hi,

Thanks in advance for any advice given. I could use some help with an overview on how all the parts will work with SSO.

My understanding is that if I enable SSO that the user will be authenticated through Active Directory freeing me from having to manage any passwords but...

1) dont I have to have a record in eUser table for that user?

2) In one of our projects (.NET) we query LDAP and insert users into a table if they belong to a generic role for that system. Do you recommend doing something similar to auto add users to eUser if SSO requires a row in there.

Thanks.

Find more posts tagged with

BPM

Comments

Jerome_Pearce

Yes, and Yes.... but:

You can remove the need to use the eUser table completely I think, but I am unsure how. I believe this because there is a registry key asking to not rely on the eUser table or similar. I am sure the documentation must explain, or perhaps it is an unimplemented feature.

Thomas_Prinsloo

In my experience, we've always had to populate the eUser table with the usernames of the domain users and run a daily . weekly sync job to get the users into Metastorm. I'd love to hear if anyone has done if differently, as Jerome suggests, without having to populate users into the eUser table. Specficially in v9.

Brian Mellert

We use SSO but with the authentication method built into the standard/provided SSO script a record is still needed in eUser. If you use another or custom SSO authentication, you could possibly remove the need for an eUser record, but I'd think they'd still be needed for other standard BPM functions. (I could be wrong there though.)

We maintain our eUser and eAssignment tables from our "core users" table via script (i.e. we don't have to maintain eUser and standard/generic eAssignment tables manually) so it definitely can be done.

Kevin Manuel

Through the use of a custom SAP script and dyamic roles you can remove the need for any entries to exist in either eUser or eAssignment tables. This can be done for a prompted authentication or SSO. I have customers that are enabled for SSO login after authenticating from an outside product as well as those that enter credentials in the name/password form that is validated against and outside data source such as an LDAP directory. As Jerome mentioned, there is a registry setting documented in the Administration Guide that changes the default behavior of static roles if needed.

You can also create eUser and eAssignment entries and use them in your SAP. There are various techniques for creating those entries other than the standard administration tools. I have customers that I have setup synchronization routines and others where I enabled the SAP script to create the cached entry as needed. There are advantages to having the eUser entries to be used for things such as email lookups or lists of users but this can also be done by querying an outside source for the data.

These techniques will work for V7 and V9 with the exception of the V9 designer and deployment service. The V9 deployment service currently does not use the Open Authentication model allowing for custom SAP scripts to control authentication. It requires specific entries in the eAssignment table for the role and an eUser entry for the user for either prompted login or SSO to work. The SSO requires that the eUser entry be in the format of domain\user. If you choose to setup authentication in a way that does not use eUser/eAssignment entries you will need to at a minimum maintain the designer users this way to allow them access to the repository.

Maybe the V9 deployment service will be changed in a future release to get its authentication from an engine service using the Open Authentication feature rather than being stand alone so that the same authentication model would apply across the product. For now you will just need to consider both when setting up your authentication method.

Alex Fredricks

Thanks everyone!! And thanks Kevin!

Jack Wong

Thank you everyone for the valuable information.

I'm trying to setup Metastorm BPM 9.0.3 in the way that the users log into web client through SSO (using Windows Authentication) and hoping that we don't need to maintain the eUser and eAssignment tables as they are like a duplicate user database.

I've got the SSO working as well as LDAP dynamic role mapping setup. I wasn't able to open any blank forms because I do not have eUser and eAssignment for the ldap user. I've tried modifying the register HKLM\Software\Metastorm\e-work\Engine\****DisableStaticRoleResolution to 1 so that static roles are not assumed to be in eAssignment, but this didn't resolve the issue.

So entries in eUser and eAssignment seem to be neccessary for some BPM standard function.

I'd like to ask if there's a best practice approach to create the table entry some how.

My idea is to create the eUser and eAssignment entries on the fly within the SAP script during authentication. I'm very new to Metastorm, I'm not sure if there's any side effect with this approach. (potentially on the sync of email address maybe?)

Any feedback will be greated appreciated! Thanks!

Regards,

Jack

Alex Fredricks

Hey Jack,

As far as I know SQL or whatever happens to be your datasource is completely editable outside of Metastorm. I would venture to say that you CAN. In fact I know that I write as much as I can with .NET apps and use Metastorm as the "Core".