This chapter describes resource access control using AquaLogic Ensemble proxy authentication. It is divided into the following sections:
There are two factors that control access to a resource: authentication levels and policies. Before any policy is evaluated for a given resource, the user must first be authenticated with an authenticator that has an authentication level equal to or greater than the authentication level of the resource. If an authentication level does not have an authenticator associated with it, the next higher authenticator is used to authenticate.
Authentication levels range from 0 to 10. An authenticator cannot be assigned level 0; authentication level 0 is reserved for anonymous access. For details on anonymous access, see Configuring Anonymous Access.
An authenticator is a method for authentication. HTML form-based authentication and third-party SSO providers are examples of authenticators.
When a user attempts to access a resource without credentials appropriate for the resource's authentication level, the following happens:
If the authenticator is lower than the resource's authentication level, Ensemble uses the authenticator associated with the resource's authentication level.
For details on experience rules and experience definitions, see Experience Definitions.
For details on policies, see Policies and Rules.
You configure the authentication level is associated with an authenticator in the Ensemble Console. You configure each authenticator with a numerical level between 1 and 10. Two authenticators cannot have the same authentication level.
To configure authentication levels:
Note: | Changing authentication levels for authenticators will not change authentication levels associated with policy sets. The authentication level will remain the same and the authenticator will change. |
This section describes how to configure Ensemble to authenticate users with one of the supported third-party SSO systems: Siteminder, COREid, or Active Directory via SPNEGO. The following subsections describe each configuration in detail:
In addition, configuring Ensemble to log users out of an SSO system is described in SSO Logout.
Note: | For all SSO integrations, the user name used to authenticate to the SSO software must also exist as an Ensemble user name. To add users to Ensemble, add users to your AquaLogic Interaction installation. |
This section provides details about integrating Ensemble with Computer Associates SiteMinder, and is divided into the following sections:
Configuring Ensemble to authenticate users with SiteMinder involves protecting a special Ensemble resource, sso.aspx, with SiteMinder. Ensemble uses this resource to authenticate a user with SiteMinder when the user attempts to access any resource with an authentication level that requires SiteMinder.
The process flow is as follows:
The redirects between sso.aspx and Ensemble are transparent to the user. The user experiences attempting to access the resource, being authenticated by SiteMinder, and then accessing the resource.
To configure Ensemble for use with SiteMinder, first install sso.aspx and configure SiteMinder to protect it:
C:\bea\alui\loginserver\1.0\webapp\loginserver\ssointegration\siteminder\
Once you have correctly sso.aspx, you must configure Ensemble to access sso.aspx via IIS. To configure Ensemble:
http://siteminder.company.com:80/ensembleIntegration/
Do not include the file name sso.aspx.
select VALUE from PTSERVERCONFIG where SETTINGID=65;
This section provides details about integrating Ensemble and Oracle COREid. It is divided into the following sections:
Configuring Ensemble to authenticate users with COREid involves protecting a special Ensemble resource, sso.aspx, with COREid. Ensemble uses this resource to authenticate a user with COREid when the user attempts to access any resource with an authentication level that requires COREid.
The process flow is as follows:
The redirects between sso.aspx and Ensemble are transparent to the user. The user experiences attempting to access the resource, being authenticated by COREid, and then accessing the resource.
To configure Ensemble for use with COREid, first install sso.aspx and configure COREid to protect it:
C:\bea\alui\loginserver\1.0\webapp\loginserver\ssointegration\coreid\
Once you have correctly installed sso.aspx, you must configure Ensemble to access sso.aspx via IIS. To configure Ensemble:
http://coreid.company.com:80/ensembleIntegration/
Do not include the file name sso.aspx.
select VALUE from PTSERVERCONFIG where SETTINGID=65;
C:\bea\alui\settings\runner\configuration.xml
In configuration.xml, verify that the value of the following setting is your shared secret key:
<setting name="runnersso:ssologin:sharedSecretKey">
<value xsi:type="xsd:string">[Your shared secret key]</value>
</setting>
Configuring Ensemble for SPNEGO authentication is a complex process involving configuration of the Active Directory server in addition to the creation of Ensemble configuration files and Ensemble configuration within the Ensemble Console.
To complete the Ensemble / SPNEGO integration, complete the instructions of each of the following sub-sections in the order provided:
Ensemble requires an Active Directory account with which to query the Active Directory. To configure this account:
CN=Users,DC=ensemble,DC=mydomain,DC=com
Ensemble will need to use the ensemble.mydomain.com realm.
setspn -a HTTP/ensembleserver.mydomain.com ensembleuser
where ensembleserver.mydomain.com is the fully qualified domain name of your Ensemble server, and ensembleuser is the user you just created in Active Directory.
ktab -k mykeytab -a HTTP/ensembleserver.fakedomain.com
will create a keytab file, mykeytab.
To configure the Ensemble server to access Active Directory:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true
principal="host/ensembleserver.mydomain.com" useKeyTab=true
keyTab="c:\\SPNEGO\\mykeytab" storeKey=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required debug=true
principal="host/ensembleserver.mydomain.com" useKeyTab=true
keyTab="c:\\SPNEGO\\mykeytab" storeKey=true;
};
where host/ensembleserver.mydomain.com is your SPN and c:\\SPNEGO\\mykeytab is your keytab file.
Note: | Use host/ instead of HTTP/ for the SPN. |
C:\bea\alui\ensembleproxy\1.0\settings\config\
Add the following lines to wrapper.conf, replacing C:\SPNEGO\jaas.conf with the location of your jaas.conf. You must add the lines near the top of the wrapper.conf, in the section titled Additional -D Java Properties. You must number the wrapper.java.additional.# properties consecutively in ascending order, starting with wrapper.java.additional.8. The wrapper.java.additional.8 property will already exist. Add the following lines:
wrapper.java.additional.9=-Djava.security.auth.login.config=C:\SPNEGO\jaas.conf
wrapper.java.additional.10=-Djavax.security.auth.useSubjectCredsOnly=false
wrapper.java.additional.11=-Dsun.security.krb5.debug=true
[libdefaults]
udp_preference_limit = 1
default_realm = ENSEMBLE.MYDOMAIN.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600
[realms]
ENSEMBLE.MYDOMAIN.COM = {
kdc = ADSERVER.MYDOMAIN.COM
admin_server = ADSERVER.MYDOMAIN.COM
default_domain = ENSEMBLE.MYDOMAIN.COM
}
[domain_realm]
. ENSEMBLE.MYDOMAIN.COM = ENSEMBLE.MYDOMAIN.COM
ENSEMBLE.MYDOMAIN.COM = ENSEMBLE.MYDOMAIN.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
select VALUE from PTSERVERCONFIG where SETTINGID=65;
C:\bea\alui\settings\runner\configuration.xml
In configuration.xml, ensure the value of the following setting is your shared secret key:
<setting name="runnersso:ssologin:sharedSecretKey">
<value xsi:type="xsd:string">[Your shared secret key]</value>
</setting>
Verify the login resource is correctly configured. Create a resource and policy to protect it with your SPNEGO authentication level and configure your experience rules to request SPNEGO authentication when the user accesses the resource.
Note: | For SPNEGO authentication to work from the client side, the user must be logged into Windows into the appropriate Active Directory domain. In addition, Internet Explorer must be configured so that the Ensemble server is in the Local Intranet zone and integrated Windows authentication must be enabled. |
A user may be accessing multiple resources under a single SSO authentication. When a user logs out of an Ensemble proxied resource, Ensemble can prompt the user to log out of only that application or all applications.
For Ensemble to capture logout attempts, you must configure one or more internal logout patterns
for each resource. To configure SSO log out patterns: