Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java System Communications Express 6 2005Q1 Administration Guide 

Chapter 4
Implementing Single Sign-On

Single Sign-On allows an end user to authenticate once and use multiple applications without re-authenticating. For example, you can login to Communications Express and use the calendar and mail applications without authenticating again, provided single sign-on is enabled in calendar and mail applications. In Communications Express you can perform the following types of Single Sign-On:

This chapter contains the following sections:

Setting up Identity Server Single Sign-On

This section provides information on how to set up Communications Express and Messenger Express to communicate with each other using Identity Server Single Sign-On.

If you have chosen to adopt Sun Java System LDAP Schema, v.2 as the schema model, you need to enable Identity Server in Communications Express to use Identity Server’s Single Sign-On mechanism to obtain valid user sessions.

To enable Communication Express users access the mail module rendered by the Messenger Express using the Identity Server Single sign-on, you need to modify the Messenger Express specific parameters using the configutil tool located at msg-svr_install_root/sbin /configutil. It is important to explicitly set the Messenger Express specific parameters after install, as the installer does not set these parameters. For more information on using the configutil tool, refer to Chapter 3, Configuring General Messaging Capabilities, of the Sun Java System Messaging Server Administration Guide at http://docs.sun.com/doc/817-6266-10.

When setting up Identity Server Single Sign-on, Communications Express and Identity Server can be deployed in both SSL and non-SSL modes in the same web container instance or in different web container instances. When Identity Server and Communications Express are deployed in different Web Container Instances you need to Configure Identity Server Remote SDK on the system where Communications Express is deployed. Listed below are the deployment scenarios for Identity Server and Communications Express deployed in different web container instances in both SSL and non SSL modes.

    To Enable Single Sign-On in Communications Express With Identity Server
  1. Open the uwc-deployed-path/WEB-INF/config/uwcauth.properties file.
  2. Modify the following Communications Express parameters in uwcauth.properties file to enable Identity Server SSO.

    3. Parameter

    Purpose

    uwcauth.identity.enabled

    Specifies whether identity server is enabled.

    Initially the value is set in the configurator.

    Set the attribute to true to enable Identity Server.

    Set the attribute to false to disable Identity Server.

    uwcauth.identity.login.url

    Specifies the parameter of Identity Server login URL.

    For example, uwcauth.identity.login.url=http://siroe.example.com:85/amserver/UI/login

    uwcauth.identity.cookiename

    Specifies the cookie name used by Identity Server.

    The value of uwcauth.identity.cookiename should correspond to the value specified in Identity Server configurator.

    Default cookie name used by Identity Server is iPlanetDirectoryPro

    uwcauth.identity.binddn

    Specifies the complete DN of the amadmin.

    For example,

    uid=amAdmin, ou=People, o=siroe.example.com, o=example.com

    Note: The uwcauth.identity.binddn and uwcauth.identity.bindcred values should correspond to the values entered when installing Identity Server.

    For example, uwcauth.identity.binddn=uid=amAdmin, ou=People, o=siroe.example.com, o=example.com and uwcauth.identity.bindcred=password.

    uwcauth.identity.bindcred

    Specifies the password of the amadmin.

    uwcauth.http.port

    Specifies the port number that Communications Express listens to when Communications Express is configured on a non SSL port.

    Default port number is 80.

    uwcauth.https.port

    Specifies the https port number that Communications Express listens to when Communications Express is configured on an SSL port.

    Default https port number is 443

    identitysso.singlesignoff

    Specifies the single sign-off status.

    If set to true the logout destroys the Identity Server session completely and all applications participating in this Identity Server session are signed out.

    If set to false, only the Communications Express session is destroyed and the user is taken to the url configured in identitysso.portalurl.

    Default status is true.

    identitysso.portalurl

    Specifies the URL to which Communications Express is to be redirected.

    If Identity Server is enabled and single sign-off is set to false, Communications Express is redirected to the URL assigned to identitysso.portalurl.

    By default Communications Express is redirected to http://www.sun.com

  3. Set the value of the parameter uwcauth.messagingsso.enable to false when setting up Communications Express for Identity Server Single Sign-On.

    4. Communications Express will now use the Identity Server’s Single Sign-On mechanism for obtaining valid user sessions.

    To Deploy Identity Server and Communications Express in the Same Web Container Instance
  1. Open the IS-SDK-BASEDIR/lib/AMConfig.properties file.

    2. An example of IS-SDK-BASEDIR is /opt/SUNWam/lib.

  2. Make sure the following property is set in AMConfig.properties file:

    3. com.iplanet.am.jssproxy.trustAllServerCerts=true

    AMConfig.properties is present in IS-SDK-BASEDIR/lib

    For example, /opt/SUNWam/lib

  3. Restart the web container for the changes to take effect.

    4. Identity Server and Communications Express deployed in the same web container instance in SSL mode can now use the Identity Server’s Single Sign-On mechanism for obtaining valid user sessions.

    To Deploy Identity Server and Communications Express in Different Web Container Instance
  1. Change to IS-INSTALL-DIR/bin
  2. Copy the Identity Server IS-INSTALL-DIR/bin/amsamplesilent file.

    3. cp amsamplesilent amsamplesilent.uwc

  3. Edit the copy of amsamplesilent created in the previous step.

    4. Set the parameters to correspond to the deployment details.

    If you are deploying Identity Server SDK in a web container, such as Sun Java System Web Server or Sun Java System Application Server, set the DEPLOY_LEVEL to value 4, that is, select the option “SDK only with container config.”

  4. Set AM_ENC_PWD to the value of the password encryption key used during the installation of Identity Server.

    5. The encryption key is stored in the parameter am.encryption.pwd under:

    ${IS_INSTALL_DIR}/lib/AMConfig.properties

  5. Set NEW_INSTANCE to true.
  6. If you are deploying Identity Server SDK in Sun Java System Web Server, set WEB_CONTAINER to WS6.

    7. If you are deploying Identity Server SDK in Sun Java System Application Server, set the WEB_CONTAINER to AS7 or AS8.

  7. For a more detailed description on the other parameters in the amsamplesilent file and to help you configure the Identity Server Remote SDK parameters refer to the Sun Java System Identity Server Administration Guide at:

    8. http://docs.sun.com/source/817-5709/ConfigScripts.html

  8. Configure Identity Server SDK in the web container.

    9. Make sure directory server that is used by Identity Server is running.

  9. Start the web container instance in which the Identity Server SDK will be deployed.
  10. Change directory to IS-INSTALL-DIR/bin.
  11. Run the following command:

    12. ./amconfig -s amsamplesilent.uwc

  12. Restart the web container instance for configurations to take effect.

    13. Identity Server and Communications Express deployed in the different web container instances in SSL and non-SSL mode will now use the Identity Server’s Single Sign-On mechanism for obtaining valid user sessions.

Note

Refer to Appendix A, for instructions on enabling or disabling Identity Server after deploying Communications Express.

    To Enable Single Sign-On in Messenger Express With Identity Server
  1. Run the configutil tool.

    2. msg-svr_install_root/sbin/configutil

  2. Set the following Messenger Express parameters to enable Communication Express users access Messenger Express using the Identity Server Single Sign-on.

    3. Parameters

    Purpose

    local.webmail.sso.amnamingurl

    This configuration enables SSO from Identity Server.

    The parameter should point to the URL Identity Server runs the naming service.

    For example,

    configutil -o local.webmail.sso.amnamingurl -v http://siroe.example.com:85/amserver/namingservice

    local.webmail.sso.uwcenabled

    Enables Communications Express access Messenger Express.

    To disable, set the parameter to 0.

    local.webmail.sso.uwclogouturl

    Specifies the URL Messenger Express uses to invalidate the Communications Express session.

    If you have configured local.webmail.sso.uwclogouturl explicitly in Messenger Express, then this value is used to logout. Otherwise, Messenger Express constructs the logout url based on the http host in the request header.

    For example,

    http://siroe.example.com:85/base/UWCmain?op=logout

    When Communications Express is not deployed under /, such as /uwc, the value of this parameter may look like:

    http://siroe.example.com:85/uwc/base/UWCmain?op=logout

    local.webmail.sso.uwcport

    Specifies the Communications Express port.

    For example, 85.

    local.webmail.sso.uwccontexturi

    Specifies the path in which Communications Express is deployed.

    Specify this parameter only when Communications Express is not deployed under /.

    For example, if Communications Express is deployed in /uwc, local.webmail.sso.uwccontexturi=uwc

     

    local.webmail.sso.amcookiename

    Specifies the Identity Server session cookie name.

    Ensure that in the uwcauth.properties file, the value of uwcauth.identity.cookiename is set to the value of local.webmail.sso.amcookiename.

    For example, iPlanetDirectoryPro

    local.webmail.sso.uwchome

    Specifies the url required to access the home link.

    Once the Messenger Express specific parameters are set, Communication Express users can access Messenger Express using the Identity Server Single sign-on.

Setting up Messaging Single Sign-On

This section explains how to set up Communications Express with Messaging Single Sign-On. If you have chosen to adopt Sun Java System LDAP Schema, v.1 as the schema model, you need to enable Messaging SSO in Communications Express to use the Messaging Single Sign-On mechanism for authentication.

When configuring Communications Express, the configuration wizard does not set any of the mandatory SSO related parameters. You need to manually set the required parameters as explained below. Also, note that Messaging SSO does not support virtual domains and Messenger Express will not run in SSL mode when Messaging SSO is enabled.

If you have deployed Messenger Express as MEM, ensure that the value of the following parameters in Messaging Server are the same at the backend and frontend:

    To Enable Communications Express Using Messaging SSO
  1. Open the uwc-deployed-path/WEB-INF/config/uwcauth.properties file.
  2. Modify the following mail specific parameters in uwcauth.properties file to enable Communications Express access Messenger Express.

    3. Parameters

    Purpose

    uwcauth.appprefix

    Specifies the prefix used to find cookies generated by other trusted applications for SSO.

    The prefix is used to find cookies generated by other trusted applications during single sign-on.

    If the deployment uses Messaging SSO, this attribute should be assigned the value of local.webmail.sso.prefix set during messaging configuration.

    The default value is iPlanetDirectoryPro

    uwcauth.appid

    Specifies the application ID for Communications Express.

    The default value is uwc.

    uwcauth.cookiedomain

    Specifies the domain name saved as part of the single sign-on cookie.

    uwcauth.messagingsso.enable

     

    Enables or disables messaging single sign-on functionality.

    Set this parameter to true to enable single sign-on and false to disable single sign-on.

    Also, make sure that uwcauth.messagingsso.enable is set to false when setting up Communications Express for Identity Server Single Sign-On.

    The default value is true.

    uwcauth.messagingsso.cookiepath

    Specifies the URI path for which the single sign-on cookie is saved.

    The default value is /.

    messagingsso.xxx.url

    Specifies the URL used to verify the SSO cookie.

    The value of xxx should be replaced by the application ID of the server.

    For example, if you want to enable SSO with Messaging Server whose application ID is “msg60”, you need to add the following configuration parameter:

    mesagingsso.msg60.url=http://servername/VerifySSO?

    The value of xxx mentioned here should be identical to the value assigned in Messenger Express local.webmail.sso.id.

    The default value is http://servername/VerifySSO?

    messagingsso.uwc.url

     

     

    When Communications Express is not deployed under /, such as /uwc, the value of the parameter may look like:

    http://servername:85/uwc/VerifySSO?

    messagingsso.appid

    Specifies the Messaging Server application ID.

    The value of messagingsso.appid should be same as the local.webmail.sso.id set during messaging server configuration.

    The default value is ims.

    messagingsso.ipsecurity

    Determines whether or not to restrict session access login IP address.

    If set to true when the user logs in, the server remembers which IP address the user used to log in.Then it only allows that IP address to use the session cookie it issues to the user while establishing sso with messaging server.

    If set to false, Communications Express does not perform this IP address check and restricts the access to the session.

    The default value is true.

    Once the parameters in are set in uwc-deployed-path/WEB-INF/config/uwcauth.properties file, Communication Express users will be able to access Messenger Express using the Messaging Single Sign-on mechanism for authentication .

    To enable Messenger Express Using Messaging SSO
  1. Run the configutil tool.

    2. msg-svr_install_root/sbin/configutil

  2. Set the following mail specific parameters using the configutil tool.

    3. Parameter

    Purpose

    local.sso.<uwc-appid>.verifyurl

    When Communications Express is not deployed under /, such as /uwc, the default value of the parameter may look like:

    http://siroe.example.com:85/uwc/VerifySSO?

    local.webmail.sso.id

    Specifies the value that is used to identify Messenger Express to other applications.

    local.webmail.sso.cookiedomain

    The string value of this parameter is used to set the cookie domain value of SSO cookie by the Messenger Express HTTP server.

    The value must begin with a period (.), for example, “.example.com” when the fully qualified hostname is siroe.example.com.

    Ensure that the value specified for this parameter is the same as that entered for uwcauth.cookiedomain.

    For example, .example.com

    local.webmail.sso.enable

    Enables or disables Messaging single sign-on functionality.

    Set the value to 0 to disable Messaging single sign-on functionality.

    local.webmail.sso.prefix

    Specifies the prefix used to find cookies generated by other trusted applications for SSO.

    Ensure this value corresponds to the value entered for uwcauth.appprefix.

    local.webmail.sso.singlesignoff

    If set to 1, when the user logs out, the server removes all single sign-on cookies for the user matching the value of local.webmail.sso.apprefix.

    If set to 0, the server removes only its single sign-on user cookie.

    local.webmail.sso.uwcenabled

    Enables or disables Messenger Express access from Communications Express.

    Set to 1, to enable Messenger Express access from Communications Express.

    Set to 0, to disable Messenger Express access from Communications Express.

    local.webmail.sso.uwclogouturl

    Specifies the URL used by Messenger Express to invalidate the Communications Express session.

    f you have configured local.webmail.sso.uwclogouturl explicitly in Messenger Express then this value is used to logout. Otherwise, Messenger Express constructs the logout url based on the http host in the request header.

    For example, http://siroe.example.com:85/base/UWCMain?op=logout

    When Communications Express is not deployed under /, such as /uwc, the default value of the parameter may look like:

    http://siroe.example.com:85/uwc/base/UWCMain?op=logout

    local.webmail.sso.uwcport

    Specifies the Communications Express port.

    For example, 85.

    local.webmail.sso.uwccontexturi

    Specifies the path in which Communications Express is deployed.

    Specify this parameter only when Communications Express is not deployed under /. For example, if Communications Express is deployed in /uwc, local.webmail.sso.uwccontexturi=uwc

    For example, uwc.

    local.webmail.sso.uwchome

    Specifies the url required to access the home link.

    For example, http://www.sun.com

    local.webmail.sso.ims.verifyurl

    Specifies the URL used to verify the SSO cookie.

    For example, http://siroe.example.com/VerifySSO?

    Here it is assumed that webmail is deployed on port 80.

Communications Express users will now be able to access Messenger Express using Messaging Single Sign-on mechanism for authentication.



Previous      Contents      Index      Next     

Part No:819-0115-10.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.