2Introduction
This document technically describes the Single Sign-On setup for HP Service Manager based on Integrated Windows Authentication (IWA).
2.1Why do we implement SSO? -
HP Service Manager’s single sign-on functionality addresses the complexity of maintaining duplicate user accounts, multiple passwords, and separate logins across applications.
-
By replacing the need to log into multiple applications using the same login and password with a single, secure login process, you can ensure that information is both secure and easily accessed.
-
This single sign-on solution provides security and convenience while greatly reducing operational expenses.
Prerequisites for SSO
-
Authentication source: a Service Manager single/trusted sign-on implementation requires a web server to accept the pre-authenticated HTTP header information from your authentication software, such as CA SiteMinder, IBM Webseal, Quest’s VSJ-Kerberos or Microsoft’s Integrated Windows Authentication, home-brew authentication solutions, CAS, openSSO, …
-
You must install and configure the authentication software separately. See your web server documentation for information about the HTTP headers that your web server expects from your authentication software.
-
Web tier (HTTP and web application server) must be compatible with HPSM version
-
HPSM RTE installed and configured for SSO
-
HPSM web client configured for SSO
-
Browser Internet Explorer (IE) or Firefox must be IWA enabled.
-
URL should be added to the trusted domains in IE.
HP SM server/client SSL certificates
-
Until HPSM 7.11, mutual SSL authentication was mandatory when setting up for SSO since. Between HPSM 7.11 and 9.30, SSL certificates were not mandatory anymore although advised by HP. Starting from HPSM 9.30, HP’s security office decided to enable the SSL prerequisite again for a working SSO environment.
-
However, it’s always HP’s best practice to install client and server certificates when implementing SSO.
-
Activating single sign-on requires in general that you either create or purchase Secure Socket Layer (SSL) certificates for the SM server, SM Web Tier, and SM Windows clients. You can purchase SSL certificates from a certificate authority (CA), which is a trusted third party that issues root digital certificates and confirms certificate authenticity. You use these certificates to create a secure network connection between the SM Windows-client and the SM server, or between the SM Web Tier and the SM server. This document includes the description how to generate your SSL certificates with a self-signed Certificate Authority.
-
The connection between the user's Web browser and the Web Tier remains unchanged, requires no additional configuration in terms of importing certificates and falls under the responsibility of the customer. HP strongly advises her customer to setup HTTPS between browser and web tier.
Note
HPSM is supported to run against Kerberos to enable SSO and Trusted Sign-On (TSO) security for Apache / Tomcat platforms on the basis it is a ‘Transparent Technology’. By this we mean that Kerberos is implemented at the Apache / Tomcat administration level and would not be expected to impact applications such as the SM web client beyond the expected authentication functionality.
The definition of support for transparent technologies is stated in the Service Manager compatibility matrix available here:
http://support.openview.hp.com/sc/support_matrices.jsp
2.2HP Documentation about SSO for HP Service Manager
-
HPSM SSO white paper. Downloadable from http://support.openview.hp.com/selfsolve/document/KM773556
-
HP SM 9.21/9.30 Help server
-
HP Knowledge base articles:
-
FAQ about HP Service Manager and SSO (Single Sign-On) support. (http://support.openview.hp.com/selfsolve/document/KM742891 )
-
How can SSL and SSO work with a certificate authority, such as the MS Certificate Server? (http://support.openview.hp.com/selfsolve/document/KM862296)
-
Running loadbalancer for 2 types of connection: one with SSO and the other without SSO. (http://support.openview.hp.com/selfsolve/document/KM831695). This document does not apply for HPSM 9.30.
-
Steps to configure SSO for Windows Client. (http://support.openview.hp.com/selfsolve/document/KM1112808)
-
Hands on guide - Setting SSL & SSO (trusted-sign-on) with Service Manager. (http://support.openview.hp.com/selfsolve/document/KM1318768)
3Installation & Configuration
This is a demo setup how Microsoft’s IIS – Apache Tomcat integration might be set up. It will probably differ on each customer’s environment. This set up can be used for a POC and reviewed for Production usage.
In the following paragraphs, screen shots are based on Microsoft’s Windows 2003 server and its included HTTP server IIS (version 6).
3.1How will the architecture look like ?
Figure : example SSO setup using IWA
Figure shows an example architecture of HPSM integrated with IWA. On the Web Application server, we’ve deployed the HPSM web client (context root /SM9) which is configured for IWA integration (PreAuthenticationFilter is enabled). Custom authentication can be achieved by deploying a custom bean which extends the httpHeaderPreAuthenticationFilter or PreAuthenticationFilter.
These are detailed steps describing how the integration works:
-
A user requests a resource (on IIS) contained in an application protected by IWA authentication.
-
IIS verifies the credentials (included by IE) with AD.
-
If the authentication is successful, IIS adds the authenticated username to the request header and redirects the user request to the URL defined in IIS ISAPI redirector plug-in.
-
IIS ISAPI redirector forwards the request to the Tomcat Apache Java Protocol (AJP) Connector
-
The HPSM SSO framework performs the log-in operation with the username from the header
On top of the PreAuthenticationFilter filter, HP Professional Services (HP PSO) created their own bean (HPPSO_iwa_preAuthenticationFilter) which replaces the PreAuthenticationFilter bean because it offers more debugging, upper/lowercase conversion of the credentials set in the header and allows reusing the domain value.
More about in 4 Custom java bean below.
Share with your friends: |
