SSO integration in XIR3.1

server administration XI Server Discussion
1

Hi guys,

We’ve been trying to fix our SSO integration in BOXIR3.1 and we cannot make it work… BO vendor is saying everything is OK from BO side, our SSO team says everything is fine from their end :nonod

The problem here is that after entering the SSO, it goes directly to the logon.jsp page and shows this error: Account Information Not Recognized:
The user account has been disabled. (FWB 00012), instead of going into the main Infoview page as we have in XIR2.

We noticed that using the app link or F5 url we get the following in the logon.jsp page, but if we run Infoview from the windows server directly we don’t get this error.

Our environment: BOEXIR3.1, we have a clustered environment, our tomcat app server is on unix, apache web server under unix as well and 2 windows servers.

We have setup in the web.xml the following:


authentication.visible=False
This is to disable the Authentication option in the Infoview page

        <context-	param>
                <param-name>authentication.visible</param-name>
            <param-value>false</param-value>
        </context-param>

siteminder.enabled= False
This has to be set to false if we are not using the Siteminder. 
        <context-param>
                <param-name>siteminder.enabled</param-name>
                <param-value>false</param-value>
        </context-param>


Sso enabled = True

    <context-param>
        <param-name>sso.enabled</param-name>
        <param-value>true</param-value>
    </context-param>

Trusted auth user retrieval

    <context-param>
        <param-name>trusted.auth.user.retrieval</param-name>
        <param-value>HTTP_HEADER</param-value>
    </context-param>



Trusted auth user param

    <context-param>
        <param-name>trusted.auth.user.param</param-name>
        <param-value>SSO_UID</param-value>
    </context-param>

We have created the Trustedprincipal.conf file in our tomcat unix server under:

/data/bo-app/node02/bobje/enterprise120/solaris_sparc/

With the appropriate SharedSecret and also in the CMC under Authentication we have had set that up.

We have checked the communication between the app server and web server and looks fine…

SSO is being passed in HTTP headers format only from siteminder.

However in XIR2 we don’t have enabled siteminder, and I tried enabling it in XIR3 and still the same thing.

If you have any thoughts on how to troubleshoot or if you need any other info, please let me know…

Thanks and I appreciate your help in advance.

Dan

dannyghost (BOB member since 2008-04-01)

2

I am just wondering if you are entering logon.jsp in SSO URL ?

Did you tried using logon.do? (I think its something like logon/logon.do, but not very sure). :+1:

nicholas (BOB member since 2008-07-31)

3

Hi all,

The issue has been resolved, please don’t ask me what we did, as we didn’t do anything… :smiley:

From SSO side and web server nothing, the only thing that I did for the “nth” time was to re-create the TrustedPrincipal.conf with the appropriate SharedSecret, changed the same in the CMC, and reboot tomcat…

These steps we did it and no luck, but all of a sudden started working.

dannyghost (BOB member since 2008-04-01)

4

Hi Dannyhost,

Would you be able to sent some documentation about this solution. I’m currently having problems of getting windows AD authentication working under a linux Tomcat server.

martensnl :netherlands: (BOB member since 2006-12-19)

5

Hi martensnl

If you are looking for the AD authentication working under a linux Tomcat server using Kerberos authentication (as you asked here - Linux tomcat - Windows processing - AD), you are at wrong place. :lol: Reason is here we are discussing on Trusted Authentication (other method of SSO).

So, I would just suggest you to make it clear if you want to go for Trusted authentication or Kerberos?

nicholas (BOB member since 2008-07-31)

6

Hi Nicholas,

Thank for the reply. You are correct, my mistake.

martensnl :netherlands: (BOB member since 2006-12-19)