MashZone NextGen 10.2 | Appendix | Administration | MashZone NextGen Security | Authentication with Single Sign-On Solutions | Configuration for Agent-Based SSO Solutions
 
Configuration for Agent-Based SSO Solutions
With agent-based SSO, the basic flow of authentication and user identity information looks something like this:
MashZone NextGen delegates authentication to the SSO layer, but expects user identity information from the SSO layer in the request in either an HTTP header or a parameter in the request URL. MashZone NextGen uses an extractor to find identity information in the header or parameter, and uses a transformer, to derive the user ID from the identity information. MashZone NextGen then uses the user ID to perform authorization and process the request.
To configure MashZone NextGen to work with an agent-based SSO layer, you configure the extractor and the transformer layers to work with your SSO solution and the identity information for your environment. MashZone NextGen provides a default extractor that looks for an HTTP header or parameter by name. MashZone NextGen also provides default transformers that handles cases where the identity information is just the user ID or can be found within the identity information using a regular expression.
Note: You can also implement custom extraction or transformation layers to integrate MashZone NextGen with your SSO solution. See Implementing a Custom SSO Filter for details.
1. If needed, configure the MashZone NextGen User Repository. See Use the Default MashZone NextGen User Repository for more information.
In previous releases, MashZone NextGen only supported SSO solutions with LDAP as the MashZone NextGen User Repository. This restriction no longer applies.
2. Change the SSO filter in the applicationContext-security.xml configuration file for the MashZone NextGen Server:
a. Open applicationContext-security.xml in any text or XML editor.
This file is located in the web-apps-home/mashzone/WEB-INF/classes folder.
b. Comment out the SSO filter bean (<bean id="ssoProcessingFilter">) for agent-based solutions (class="com.jackbe.jbp.sas.security.ui.sso.SSONullPreAutheticatedFilter").
For example:
<bean id="ssoProcessingFilter"

>
<property name="authenticationManager" ref="authenticationManager" />
<property name="continueFilterChainOnUnsuccessfulAuthentication"
value="true" />
...
</bean>
Comment out the complete XML element with its children.
c. Comment in the bean <bean id="ssoProcessingFilter class="com.jackbe.jbp.sas.security.ui.sso.SSOPreAuthenticatedFilter">.
Comment in the complete XML element with its children.
3. In the agent-based SSO filter bean, configure the principalExtractor property:
*The default extractor uses a bean with the HttpHeaderOrParamTokenExtractor class.
<bean id="ssoProcessingFilter"

>
<property name="authenticationManager" ref="authenticationManager" />
<property name="continueFilterChainOnUnsuccessfulAuthentication"
value="true" />
<property name="principalExtractor">
<bean
>
<property name="httpHeaderName" value="SM_USER"/>
</bean>
</property>
...
</bean>
Change the value of the httpHeaderName property for this extractor bean to the name of the HTTP header or parameter that contains user identify information from your SSO solution.
*If you have a custom extractor class, replace the default extractor bean with configuration for your custom class.
4. In the agent-based SSO filter bean, configure the principalTransformer property:
*The default transformer property uses a bean with the RegexExtractionStringTransformation class. This uses a regular expression to extract some portion of the value for the SSO header or parameter to get the final user ID that MashZone NextGen can use for authorization checks.
<bean id="ssoProcessingFilter"

>
<property name="authenticationManager" ref="authenticationManager" />
<property name="continueFilterChainOnUnsuccessfulAuthentication"
value="true" />
<property name="principalExtractor">
<bean
>
<property name="httpHeaderName" value="SM_USER"/>
</bean>
</property>
<property name="principalTransformation">
<bean
>
<constructor-arg index="0" value="CN=(.*?),"/>
</bean>
</property>
</bean>
If the value of the SSO solution header or parameter contains more than just the user ID, for example a full DN from LDAP for a user, you can change the regular expression in the <constructor-arg/> parameter for the default bean to extract the user ID. The default regular expression extracts the CN portion of a user DN from an LDAP Directory.
If the value of the SSO solution header or parameter is just the user ID, no further transformation is needed. Change the principalTransformer bean to do nothing using the NoOpStringTransformation bean:
<bean id="ssoProcessingFilter"

>
<property name="authenticationManager" ref="authenticationManager" />
<property name="continueFilterChainOnUnsuccessfulAuthentication"
value="true" />
<property name="principalExtractor">
<bean
>
<property name="httpHeaderName" value="SM_USER"/>
</bean>
</property>
<property name="principalTransformation">
<bean
/>
</property>
</bean>
*If you have a custom transformation class, replace the default transformer bean with configuration for your custom class.
5. Save this file and restart the MashZone NextGen Server. See Start and Stop the MashZone NextGen Server for instructions.

Copyright © 2013-2018 | Software AG, Darmstadt, Germany and/or Software AG USA, Inc., Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.
Innovation Release