If you are using Microsoft® Active Directory Domain Services you can configure SSO (single sign-on). This allows users to work with all ARIS components as soon as they are logged in to the domain. Separate login to ARIS components is not required.
Single sign-on in ARIS is based on Kerberos. Kerberos is a network authentication that allows nodes to communicate using an invisible network and to securely make their identity known to each other. Kerberos is the recommended method for user authentication in MS Windows networks. In addition, it is widely used with Linux operating systems and is designed for use with all major platforms.
Please contact your LDAP administrator for this.
Prerequisite
Server
Client
Configuration in User Management
SSO must be configured for the servers.
You have the Technical configuration administrator function privilege.
Procedure
If you do not have a Kerberos configuration file create one. Name it, for example, krb5.conf, add the following lines, and adjust the configuration to meet your requirements.
[libdefaults]
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5
If the Service Principal Name in the keytab is, for example, mypc01@MY.DOMAIN.COM, the values of the property com.company.aris.umc.kerberos.servicePrincipalName must contain the Service Principal Name exactly as specified in the keytab file.
Example: MYDOMAIN.COM.
The debug output of the program that the user wishes to log in to is saved in the file system.out of the respective program. For user management, for example, this is located in the directory <ARIS installation directory>/work_umcadmin_m/base/logs.
You have configured SSO using Kerberos in User Management.
Configuration in ARIS Administration using SAML
SSO must be configured for the servers.
You have the Technical configuration administrator function privilege.
Procedure
You have configured SSO using SAML in ARIS Administration.
Please note that SSO (single sign-on) using SAML will not work in case of multiple LDAP servers and same login names (even with different entities) in different LDAP systems.
Client configuration
Configure the browser settings to allow SSO. SSO has been tested with the following browsers:
You need to empty the Kerberos ticket cache of each client first in order to avoid obsolete tickets if Microsoft® Active Directory Domain Services were changed. Delete the Kerberos ticket cache by executing the command klist.exe purge. You can also just log off the client computer from the domain and log it back in if the purge program is not available on the client computer.
Microsoft® Internet Explorer®
Microsoft® Internet Explorer® supports Kerberos authentication only if the server is part of your local intranet.
Procedure
Mozilla Firefox®
In Mozilla Firefox, you can define trustworthy sites using the computer name, IP address, or a combination of both. You can use wildcards.
Procedure
If you prefer to use an encryption stronger than AES 128bit and this is allowed in your country, replace the JCE Policy file of the JDK of your ARIS with the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6. This allows unlimited key length.
If you cannot replace the Policy files, but still want to use SSO, you need to apply a procedure allowed by the JDK for encrypting Kerberos tickets, for example, AES 128bit).