How to implement single sign-on using SPNEGO and JAAS
When installing Process Commander, you may need to ensure that Process Commander participates in a single sign-on implementation that uses JAAS (Java Authentication and Authorization Service) and Microsoft’s HTTP Negotiate authentication extension, which uses the SPNEGO (Simple and Protected GSS-API Negotiation) mechanism.
This article provides a broad overview of the major components in such an implementation and presents the kinds of things to think about when approaching this task. The Process Commander part of such a configuration – that is, configuring Process Commander to rely on container-managed authentication (JAAS) – is one piece of this picture and it is documented in Authentication in PegaRULES Process Commander.
This article does not and cannot provide actual configuration instructions for the non-Process Commander components, but you can use it as a starting place. For details about configuring Windows-based authentication, Activity Directory, Kerberos services, and JAAS, use the documentation from the appropriate vendor.
Important: It is assumed that readers of this article are experienced Process Commander developers and are familiar with its authentication processes and authorization structures (operator IDs, access groups, access roles, and so on). It is also assumed that readers are familiar with Windows authentication, SPNEGO, Kerberos, JAAS, and LDAP.
The following figure shows an example of how the main components in a configuration that uses single signon using SPNEGO and JAAS might interact. In the figure:
- The LDAP server has Active Directory and Kerberos services running.
- The Process Commander server has Process Commander deployed in a J2EE compliant application server that uses JAAS to authenticate users and Process Commander is configured to rely on container-managed authentication.
- The user's workstation is running Windows XP and Internet Explorer.
Note that this is a broad generalization and your situation may differ greatly from that depicted here.
In this example the single sign-on processing works as follows:
- The user arrives at work and logs into the company network. He is authenticated against the LDAP directory and his workstation receives a Kerberos ticket that contains his user credentials. His workstation uses this ticket to log him in automatically to the company applications that require authentication, without prompting him to enter his user credentials again.
- When the user navigates to the URL of the Process Commander system, the application server returns a response that includes the WWW-Authenticate: Negotiate header in its response. The user's browser replies with a new request that includes the Authorization: Negotiate header. That header holds a SPNEGO token that contains a Kerberos ticket with the user’s credentials.
- The application server validates the Kerberos ticket with the LDAP server.
- If the Kerberos ticket is valid, the application server allows the user access to Process Commander.
Notes about Setting Up the LDAP Server
When you configure the LDAP server in a configuration like the example, it is likely that you will perform the following kinds of tasks:
- Add to the directory the name of the server running Process Commander. It is likely that you will have to add the server as a user rather than a computer.
- Create a user account for the server running Process Commander and configure Kerberos settings.
- Define service principal names (SPNs).
- Additional, application-server specific steps.
- Set up a user account for the end user to permit Windows log in to the Active Directory domain.
Notes about Setting Up the Application Server Where Process Commander is Deployed
When you configure the application server in which Process Commander is deployed in a configuration like the example, it is likely that you will perform the following kinds of tasks.
- Edit or create a configuration file to specify the location of the Kerberos service (the Key Distribution Center, or KDC).
- Provide a keytab or other file that contains Kerberos information like the names of SPNs.
- Update or create a JAAS configuration file that informs the application server that Kerberos authentication is being used and that specifies the location of the keytab file.
- Update the startup script to indicate the use of Kerberos authentication and the location of the JAAS configuration file.
- For WebLogic, you must also add an identity assertion provider to the default security realm and you may also need to configure additional groups, roles, and policy conditions.
Notes about the Client Workstations
When you configure the client workstations in a configuration like the example, it is likely that you will perform the following kinds of tasks in Microsoft Internet Explorer:
- Enable intranet authentication
- Configure proxy settings, if necessary.
- Enable Integrated Windows Authentication.