> Administrator Guide > Proxy Authentication

Administrator Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Proxy Authentication

This chapter describes resource access control using AquaLogic Ensemble proxy authentication. It is divided into the following sections:

 

Authentication Levels

There are two factors that control access to a resource: authentication levels and policies. Before any policy is evaluated for a given resource, the user must first be authenticated with an authenticator that has an authentication level equal to or greater than the authentication level of the resource. If an authentication level does not have an authenticator associated with it, the next higher authenticator is used to authenticate.

Authentication levels range from 0 to 10. An authenticator cannot be assigned level 0; authentication level 0 is reserved for anonymous access. For details on anonymous access, see Configuring Anonymous Access.

An authenticator is a method for authentication. HTML form-based authentication and third-party SSO providers are examples of authenticators.

When a user attempts to access a resource without credentials appropriate for the resource's authentication level, the following happens:

  1. Ensemble evaluates experience rules to determine which experience definition is appropriate for the user.
  2. Ensemble passes the authenticator associated with the experience definition to the authentication stack.
  3. If the authenticator is equal to or greater than the resource's authentication level, Ensemble uses the authenticator associated with the experience definition to authenticate the user.

    4. If the authenticator is lower than the resource's authentication level, Ensemble uses the authenticator associated with the resource's authentication level.

  4. Once the user is authenticated, Ensemble evaluates the policies for the resource. If one or more policies evaulate to true, the user is granted access to the resource.

For details on experience rules and experience definitions, see Experience Definitions.

For details on policies, see Policies and Rules.

 

Configuring Authentication Levels

You configure the authentication level is associated with an authenticator in the Ensemble Console. You configure each authenticator with a numerical level between 1 and 10. Two authenticators cannot have the same authentication level.

To configure authentication levels:

  1. Launch the Ensemble Console.
  2. Click the PROXY AUTHENTICATION tab.
  3. Select the authentication level from the Level drop-down next to the authenticator you are configuring.
Note: Changing authentication levels for authenticators will not change authentication levels associated with policy sets. The authentication level will remain the same and the authenticator will change.

 

SSO Integration

This section describes how to configure Ensemble to authenticate users with one of the supported third-party SSO systems: Siteminder, COREid, or Active Directory via SPNEGO. The following subsections describe each configuration in detail:

In addition, configuring Ensemble to log users out of an SSO system is described in SSO Logout.

Note: For all SSO integrations, the user name used to authenticate to the SSO software must also exist as an Ensemble user name. To add users to Ensemble, add users to your AquaLogic Interaction installation.

Integrating with Computer Associates SiteMinder

This section provides details about integrating Ensemble with Computer Associates SiteMinder, and is divided into the following sections:

Overview

Configuring Ensemble to authenticate users with SiteMinder involves protecting a special Ensemble resource, sso.aspx, with SiteMinder. Ensemble uses this resource to authenticate a user with SiteMinder when the user attempts to access any resource with an authentication level that requires SiteMinder.

The process flow is as follows:

  1. The user attempts to access a resource proxied by Ensemble.
  2. Ensemble determines the user needs to authenticate with SiteMinder.
  3. Ensemble redirects the user to sso.aspx. Since sso.aspx is protected by SiteMinder, the user is asked to authenticate to SiteMinder.
  4. On successful authentication, the user accesses sso.aspx, which redirects the user to Ensemble marked as authenticated.
  5. Ensemble redirects the user to the resource he initially attempted to access.

The redirects between sso.aspx and Ensemble are transparent to the user. The user experiences attempting to access the resource, being authenticated by SiteMinder, and then accessing the resource.

Configuring Ensemble and SiteMinder

To configure Ensemble for use with SiteMinder, first install sso.aspx and configure SiteMinder to protect it:

  1. Create a virtual directory on IIS and protect it with SiteMinder.
  2. Copy sso.aspx and sso.aspx.cs to the virtual directory you created. There are versions of these files for .NET v1.1 and .NET v2.0. In a default installation, the files are located under the NET v1.1 aspx or NET v2.0 aspx directory in:

    3. C:\bea\alui\loginserver\1.0\webapp\loginserver\ssointegration\siteminder\

  3. Verify that the files are installed and SiteMinder is correctly configured. Attempt to access sso.aspx via IIS. You are prompted to log into SiteMinder and then are presented with a page of header information. (The result from sso.aspx is not intended to be human-readable.)

Once you have correctly sso.aspx, you must configure Ensemble to access sso.aspx via IIS. To configure Ensemble:

  1. Launch the Ensemble Console.
  2. Click the APPLICATIONS tab.
  3. Click the Resources sub-tab.
  4. Click the CA SiteMinder sample login resource.
  5. On the Connections page, edit the Internal URL prefix to point to the location of sso.aspx. For example:

    6. http://siteminder.company.com:80/ensembleIntegration/

    Do not include the file name sso.aspx.

  6. Retrieve the shared secret key from the AquaLogic Interaction portal database. In the PTSERVERCONFIG table, the shared secret key is VALUE where SETTINGID=65. For example:
    7. select VALUE from PTSERVERCONFIG where SETTINGID=65;
  7. Update the shared secret key using the Configuration Manager. In the Configuration Manager, browse to ENSEMBLE | SSO Login and update the Shared Key setting.
  8. Restart the BEA ALI Security Service, the BEA AL Ensemble Administrative UI, and the BEA AL Ensemble Proxy.
  9. Verify that the login resource is correctly configured. Create a resource and policy to protect it with your SiteMinder authentication level and configure your experience rules to request SiteMinder authentication when a user accesses the resource.

Integrating with Oracle COREid

This section provides details about integrating Ensemble and Oracle COREid. It is divided into the following sections:

Overview

Configuring Ensemble to authenticate users with COREid involves protecting a special Ensemble resource, sso.aspx, with COREid. Ensemble uses this resource to authenticate a user with COREid when the user attempts to access any resource with an authentication level that requires COREid.

The process flow is as follows:

  1. The user attempts to access a resource proxied by Ensemble.
  2. Ensemble determines that the user needs to authenticate with COREid.
  3. Ensemble redirects the user to sso.aspx. Since sso.aspx is protected by COREid, the user is asked to authenticate to COREid.
  4. On successful authentication, the user accesses sso.aspx, which redirects the user to Ensemble marked as authenticated.
  5. Ensemble redirects the user to the resource he initially attempted to access.

The redirects between sso.aspx and Ensemble are transparent to the user. The user experiences attempting to access the resource, being authenticated by COREid, and then accessing the resource.

Configuring Ensemble and COREid

To configure Ensemble for use with COREid, first install sso.aspx and configure COREid to protect it:

  1. Create a virtual directory on IIS and protect it with COREid.
  2. Copy sso.aspx and sso.aspx.cs to the virtual directory you created. There are versions of these files for .NET v1.1 and .NET v2.0. In a default installation, the files are located under the NET v1.1 aspx or NET v2.0 aspx directory in:

    3. C:\bea\alui\loginserver\1.0\webapp\loginserver\ssointegration\coreid\

  3. Verify that the files are installed and that COREid is correctly configured. Attempt to access sso.aspx via IIS. You are prompted to log into COREid and then are presented with a page of header information. (The result from sso.aspx is not intended to be human-readable.)

Once you have correctly installed sso.aspx, you must configure Ensemble to access sso.aspx via IIS. To configure Ensemble:

  1. Launch the Ensemble Console.
  2. Click the APPLICATIONS tab.
  3. Click the Resources sub-tab.
  4. Click the Oracle COREid sample login resource.
  5. On the Connections page, edit the Internal URL prefix to point to the location of sso.aspx. For example:

    6. http://coreid.company.com:80/ensembleIntegration/

    Do not include the file name sso.aspx.

  6. Retrieve the shared secret key from the AquaLogic Interaction portal database. Open the PTSERVERCONFIG table. The shared secret key is VALUE where SETTINGID=65. For example:
    7. select VALUE from PTSERVERCONFIG where SETTINGID=65;
  7. Add the shared secret key to the Ensemble configuration.xml. On the Ensemble server, configuration.xml is located by default at:

    8. C:\bea\alui\settings\runner\configuration.xml

    In configuration.xml, verify that the value of the following setting is your shared secret key: 

    <setting name="runnersso:ssologin:sharedSecretKey">
    <value xsi:type="xsd:string">[Your shared secret key]</value>
    </setting>
  8. Restart the BEA ALI Security Service, the BEA AL Ensemble Administrative UI, and the BEA AL Ensemble Proxy.
  9. Verify that the login resource is correctly configured. Create a resource and policy to protect it with your COREid authentication level and configure your experience rules to request COREid authentication when the user accesses the resource.

Integrating with Microsoft Active Directory via SPNEGO

Configuring Ensemble for SPNEGO authentication is a complex process involving configuration of the Active Directory server in addition to the creation of Ensemble configuration files and Ensemble configuration within the Ensemble Console.

To complete the Ensemble / SPNEGO integration, complete the instructions of each of the following sub-sections in the order provided:

  1. Configuring Microsoft Active Directory
  2. Configuring the Ensemble Server
  3. Verifying the Ensemble / SPNEGO Integration

Configuring Microsoft Active Directory

Ensemble requires an Active Directory account with which to query the Active Directory. To configure this account:

  1. Create a new Active Directory user. Record the OU because you will need it when configuring Kerberos on the Ensemble server. For example, if the user is in:
    2. CN=Users,DC=ensemble,DC=mydomain,DC=com

    Ensemble will need to use the ensemble.mydomain.com realm.

  2. Verify that the user account is Kerberos enabled:
    • Turn on Use DES encryption types for this account.
    • Verify that Do not require Kerberos pre-authentication is not selected.
  3. Enable Ensemble to access Active Directory as a service by using the Windows utility setspn to create an SPN for Ensemble. For example:

    4. setspn -a HTTP/ensembleserver.mydomain.com ensembleuser

    where ensembleserver.mydomain.com is the fully qualified domain name of your Ensemble server, and ensembleuser is the user you just created in Active Directory.

  4. Create a keytab file for the SPN you created using ktab. This file will be used on the Ensemble server to authenticate Ensemble to the Active Directory server. For example:

    5. ktab -k mykeytab -a HTTP/ensembleserver.fakedomain.com

    will create a keytab file, mykeytab.

  5. Put a backup copy of the keytab file in a secure location. Then copy the keytab file to the Ensemble server.

Configuring the Ensemble Server

To configure the Ensemble server to access Active Directory:

  1. Copy the keytab file you created in Configuring Microsoft Active Directory to a location on your Ensemble server. For example:

    2. C:\SPNEGO\mykeytab

  2. Create a new text file named jaas.conf. For example:

    3. C:\SPNEGO\jaas.conf

  3. Copy the following into jaas.conf:
    4. com.sun.security.jgss.initiate { 
    com.sun.security.auth.module.Krb5LoginModule required debug=true
    principal="host/ensembleserver.mydomain.com" useKeyTab=true
    keyTab="c:\\SPNEGO\\mykeytab" storeKey=true;
    };
    com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule required debug=true
    principal="host/ensembleserver.mydomain.com" useKeyTab=true
    keyTab="c:\\SPNEGO\\mykeytab" storeKey=true;
    };

    where host/ensembleserver.mydomain.com is your SPN and c:\\SPNEGO\\mykeytab is your keytab file.

    Note: Use host/ instead of HTTP/ for the SPN.
  4. Configure the Ensemble Proxy server wrapper.conf to refer to your jaas.conf. By default, the Ensemble Proxy server wrapper.conf is located at:

    5. C:\bea\alui\ensembleproxy\1.0\settings\config\

    Add the following lines to wrapper.conf, replacing C:\SPNEGO\jaas.conf with the location of your jaas.conf. You must add the lines near the top of the wrapper.conf, in the section titled Additional -D Java Properties. You must number the wrapper.java.additional.# properties consecutively in ascending order, starting with wrapper.java.additional.8. The wrapper.java.additional.8 property will already exist. Add the following lines: 

    wrapper.java.additional.9=-Djava.security.auth.login.config=C:\SPNEGO\jaas.conf
    wrapper.java.additional.10=-Djavax.security.auth.useSubjectCredsOnly=false 
    wrapper.java.additional.11=-Dsun.security.krb5.debug=true
  5. Create a krb5.ini file in your Windows directory. For example:

    6. C:\windows\krb5.ini

  6. Copy the following into the krb5.ini file you created:
    7. [libdefaults]
    udp_preference_limit = 1
    default_realm = ENSEMBLE.MYDOMAIN.COM
    default_tkt_enctypes = des-cbc-crc
    default_tgs_enctypes = des-cbc-crc
    ticket_lifetime = 600
    [realms]
    ENSEMBLE.MYDOMAIN.COM = {
    kdc = ADSERVER.MYDOMAIN.COM
    admin_server = ADSERVER.MYDOMAIN.COM
    default_domain = ENSEMBLE.MYDOMAIN.COM
    }
    [domain_realm]
    . ENSEMBLE.MYDOMAIN.COM = ENSEMBLE.MYDOMAIN.COM
    ENSEMBLE.MYDOMAIN.COM = ENSEMBLE.MYDOMAIN.COM
    [appdefaults]
    autologin = true
    forward = true
    forwardable = true
    encrypt = true
  7. Edit the krb5.ini file so that:
    • ENSEMBLE.MYDOMAIN.COM is the realm (OU) of the server user account you created on your Active Directory server.
    • ADSERVER.MYDOMAIN.COM is the fully qualified domain name of your Active Directory server.
  8. Retrieve the shared secret key from the AquaLogic Interaction portal database. Open the PTSERVERCONFIG table. The shared secret key is VALUE where SETTINGID=65. For example:
    9. select VALUE from PTSERVERCONFIG where SETTINGID=65;
  9. Add the shared secret key to the Ensemble configuration.xml. On the Ensemble server, configuration.xml is located by default at:

    10. C:\bea\alui\settings\runner\configuration.xml

    In configuration.xml, ensure the value of the following setting is your shared secret key: 

    <setting name="runnersso:ssologin:sharedSecretKey">
    <value xsi:type="xsd:string">[Your shared secret key]</value>
    </setting>
  10. Restart the BEA ALI Security Service, the BEA AL Ensemble Administrative UI, and the BEA AL Ensemble Proxy.

Verifying the Ensemble / SPNEGO Integration

Verify the login resource is correctly configured. Create a resource and policy to protect it with your SPNEGO authentication level and configure your experience rules to request SPNEGO authentication when the user accesses the resource.

Note: For SPNEGO authentication to work from the client side, the user must be logged into Windows into the appropriate Active Directory domain. In addition, Internet Explorer must be configured so that the Ensemble server is in the Local Intranet zone and integrated Windows authentication must be enabled.

SSO Logout

A user may be accessing multiple resources under a single SSO authentication. When a user logs out of an Ensemble proxied resource, Ensemble can prompt the user to log out of only that application or all applications.

For Ensemble to capture logout attempts, you must configure one or more internal logout patterns

for each resource. To configure SSO log out patterns:

  1. Launch the Ensemble Console.
  2. Click the APPLICATIONS tab.
  3. Click the Resources sub-tab.
  4. Click the name of the resource you want to edit.
  5. On the SSO Log Out Settings page, type the regular expression pattern that matches your log out page into the Internal log out URL patterns box.
  6. To add more patterns, click Add.
  7. To delete patterns, click Delete.
  8. When you are done configuring SSO Log Out Settings, click Save.

  Back to Top       Previous  Next