Configure Single Sign-On

Configure Single Sign-On

Single sign-on allows users to login once to a software application and gain access to multiple software systems without being prompted to login again. If you configure single sign-on for your Content Management System (CMS) or any other pages you add, users of your Geoportal will only need to login one time to access all the single sign-on enabled applications.

Tomcat Instructions

Weblogic Instructions

Note: The instructions provided below are suggestions according to how SSO was configured during testing. Your organization may require a different procedure depending on your servlet container software, other applications using SSO, security policies and other considerations.

Tomcat LDAP and Single Sign-On Configuration Instructions

This single sign-on configuration is tested against Tomcat 5.5.17, and assumes that you have already configured users through LDAP, as per the Geoportal extension 9.3.1 installation guide.

If you have set up LDAP, then proceed with the following steps to enable single sign-on. You will need to make changes to both your Tomcat server.xml file and your Geoportal web application configuration file.

1. Modify the Tomcat server.xml File
• Navigate to the <TOMCAT>\conf folder and open the server.xml file in a text editor.
• Find the section where the <Realms> are defined. This can be under the <engine> element or the <host> element; where you define realms depends on the other web applications that you deploy in your system that are not necessarily related to the Geoportal. In the following example, we place the <realm> element within <host>. If <Realms> are found under the <engine> element, replace all references to <host> for <engine> in the instructions that follow. For more information, please refer to Apache Tomcat documentation.
• Paste the following <realm> element in the <host> section. Make sure to change the code to match your LDAP settings where it is shown in bold. The example shows typical settings for Apache Directory Server:
  • connectionName: LDAP administrator connection distinguished name.
  • connectionPassword: LDAP administrator connection password
  • connectionURL: LDAP connection URL
  • roleBase: element that is the base of the search for matching roles. The example below is defining a structure where "groups" are defined under "system" in the active directory tree.
  • roleName: attribute name of the role/group. Default: cn
  • roleSearch: an expression used to search for role/group elements in the roleBase context. The search will find those roles/groups that contain a given username, with {0} being a placeholder for the username.
  • userPattern: The pattern of the distinguished name for users.
  
  
  <Realm

className="org.apache.catalina.realm.JNDIRealm"

connectionName="uid=admin,ou=system"

connectionPassword="password"

connectionURL="ldap://myServer:10389"

debug="99"

roleBase="ou=groups,ou=system"

roleName="cn"

roleSearch="(uniquemember={0})"

userPattern="cn={0},ou=users,ou=system"/>
• Paste the following <valve> element also within the <host> section:
  
  <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
• Save the file.



2. Modify the geoportal gpt.xml File
• Activate single sign-on in the gpt.xml file:
  • Navigate to the <TOMCAT>\webapps\geoportal\WEB-INF\classes\gpt\config folder and open gpt.xml in a text editor.
  • Find the "<singleSignOn> element
  • Set its "active" attribute to "true", as shown below:
    
    <singleSignOn active="true" ...
• Verify that in the <Groups> section in gpt.xml, the "searchDIT" distinguished name matches the "roleBase" distinguished name specified in the Tomcat server.xml <realm> element you configured earlier. For Apache Directory Server, both could be "ou=groups,ou=system".
• Save the file.



3. Modify the web.xml File
• Navigate to the <TOMCAT>\webapps\geoportal\WEB-INF folder and open the web.xml file in a text editor.
• Uncomment the <security-constraint> element in web.xml:
  
  <security-constraint>

<web-resource-collection>

<web-resource-name>login</web-resource-name>

<description>login</description>

<url-pattern>/catalog/identity/login.page</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

<description>These are the roles who have access</description>

<role-name>gpt_administrators</role-name>

<role-name>gpt_publishers</role-name>

<role-name>gpt_registeredUsers</role-name>

</auth-constraint>

</security-constraint>

<login-config>

<auth-method>FORM</auth-method>

<realm-name>Restricted content</realm-name>

<form-login-config>

<form-login-page>/catalog/identity/loginJsc.page</form-login-page>

<form-error-page>/catalog/identity/loginJsc.page?error=true</form-error-page>

</form-login-config>

</login-config>


• Uncomment <security-role> block like below in web.xml:
  
  <security-role>

<role-name>gpt_administrators</role-name>

</security-role>

<security-role>

<role-name>gpt_publishers</role-name>

</security-role>

<security-role>

<role-name>gpt_registeredUsers</role-name>

</security-role>


• Save the file and close it.
• Restart Tomcat.

Weblogic LDAP and Single Sign-On Configuration Instructions

This single sign-on configuration is tested against Weblogic 10.3.1, and assumes that you have already configured users through LDAP, as per the Geoportal extension 9.3.1 installation guide. This example also assumes that your LDAP is configured with Apache Directory Server. Directions below may need adjustment for other Directory Server vendors.

If you have set up LDAP, then proceed with the following steps to enable single sign-on. You will need to make changes from within the Weblogic Administration Console to the security realm. For more detailed information on security realms visit Weblogic Website.

1. Create Security Realm
• Login to the Weblogic Server Administration Console.
• Click Security Realms under the Domain Structure table of contents.
• Select myrealm from the table.
• Click the Providers tab.
• Select New.
• Input the name of the Authentication provider. (In this example we will use geoportal as the name.
• Select the Type from the dropdown. In this example for Apache Directory Server, select the LDAP Authenticator. If you are using a different Directory Server vendor, you'll need to select a type that corresponds to that vendor.
• Click Ok. The new provider will be added to the list of authenticated providers.




Once you have completed these steps you will now have to edit the new provider information to match your current LDAP configuration.

• Click the new provider.
• Select the Provider Specific tab.




You will need to update certain fields with information from your LDAP. Fields not mentioned below should be left as their default values. The example shows typical settings for Apache Directory Server:

• User Name Attribute: The attribute of an LDAP user object that specifies the name of the user. default: uid.
• Principal: DN of LDAP user Weblogic uses to connectr to LDAP.
• Propogate Cause for Login Exception: make sure that this is checked.
• Host: The host name or IP address of the LDAP server.
• Use Retrieved User Name as Principal: make sure that this is checked.
• Credential: password used to connect to LDAP server.
• Confirm Credential: confirmation of password.
• Group Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains groups. Note: write this down for a future step.
• User Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains users.
• Port: The port number on which the LDAP server is listening.
• Click Save.



2. Alter the DefaultAuthenticator in myrealm

Weblogic has its own security provider that protects weblogic resources, that provider os called DefaultAuthenticator. You will need to adjust the Control Flag setting of the DefaultAuthenticator.

• Click Security Realms under the Domain Structure table of contents.
• Select myrealm.
• Click the Providers tab.
• Select DefaultAuthenticator.
• Select "Sufficient" from the Control Flag dropdown.
• Click Save.



3. Modify the geoportal gpt.xml File
Activate single sign-on in the gpt.xml file:
• Navigate to the <Geoportal Extension Installation Dir>\geoportal\WEB-INF\classes\gpt\config folder and open gpt.xml in a text editor.
• Find the "<singleSignOn> element
Set its "active" attribute to "true", as shown below:

<singleSignOn active="true" ...
• Verify that in the <Groups> section in gpt.xml, the "searchDIT" distinguished name matches the Group Base DN that you wrote down earlier when configuring the security realm. For Apache Directory Server, both could be "ou=groups,ou=system".
• Save the file.



4. Modify the web.xml File
• Navigate to the <Geoportal Extension Installation Dir>\geoportal\WEB-INF folder and open the web.xml file in a text editor.
• Uncomment the <security-constraint> and <securityrole> block in web.xml:
  
  <security-constraint>

<web-resource-collection>

<web-resource-name>login</web-resource-name>

<description>login</description>

<url-pattern>/catalog/identity/login.page</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

<description>These are the roles who have access</description>

<role-name>gpt_administrators</role-name>

<role-name>gpt_publishers</role-name>

<role-name>gpt_registeredUsers</role-name>

</auth-constraint>

</security-constraint>

<login-config>

<auth-method>FORM</auth-method>

<realm-name>myRealm</realm-name>

<form-login-config>

<form-login-page>/catalog/identity/loginJsc.page</form-login-page>

<form-error-page>/catalog/identity/loginJsc.page?error=true</form-error-page>

</form-login-config>

</login-config>




<security-role>

<role-name>gpt_administrators</role-name>

</security-role>

<security-role>

<role-name>gpt_publishers</role-name>

</security-role>

<security-role>

<role-name>gpt_registeredUsers</role-name>

</security-role>


• Save the file and close it.
• Restart Weblogic.