Configuration for Agent-Based SSO Solutions

With agent-based SSO, the basic flow of authentication and user identity information looks something like this:

Presto delegates authentication to the SSO layer, but expects user identity information from the SSO layer in the request in either an HTTP header or a parameter in the request URL. Presto uses an extractor to find identity information in the header or parameter, and uses a transformer, to derive the user ID from the identity information. Presto then uses the user ID to perform authorization and process the request.

To configure Presto to work with an agent-based SSO layer, you configure the extractor and the transformer layers to work with your SSO solution and the identity information for your environment. Presto provides a default extractor that looks for an HTTP header or parameter by name. Presto also provides default transformers that handles cases where the identity information is just the user ID or can be found within the identity information using a regular expression.

Note:

You can also implement custom extraction or transformation layers to integrate Presto with your SSO solution. See Implementing a Custom SSO Filter for details.

1. If needed, configure the Presto User Repository. See Use the Default Presto User Repository for more information.

In previous releases, Presto only supported SSO solutions with LDAP as the Presto User Repository. This restriction no longer applies.

2. Change the SSO filter in the applicationContext-security.xml configuration file for the Presto Server:

b. Comment out the SSO filter bean (<bean id="ssoProcessingFilter">) for SharePoint (class="com.jackbe.jbp.sas.security.ui.sso.sp.SharepointSSOFilter">).

c. Uncomment the SSO filter bean (<bean id="ssoProcessingFilter">) for agent-based solutions (class="com.jackbe.jbp.sas.security.ui.sso.SSOPreAuthenticatedFilter").

Change the value of the httpHeaderName property for this extractor bean to the name of the HTTP header or parameter that contains user identify information from your SSO solution.

If you have a custom extractor class, replace the default extractor bean with configuration for your custom class.

The default transformer property uses a bean with the RegexExtractionStringTransformation class. This uses a regular expression to extract some portion of the value for the SSO header or parameter to get the final user ID that Presto can use for authorization checks.

If the value of the SSO solution header or parameter contains more than just the user ID, for example a full DN from LDAP for a user, you can change the regular expression in the <constructor-arg/> parameter for the default bean to extract the user ID. The default regular expression extracts the CN portion of a user DN from an LDAP Directory.

If the value of the SSO solution header or parameter is just the user ID, no further transformation is needed. Change the principalTransformer bean to do nothing using the NoOpStringTransformation bean:

If you have a custom transformation class, replace the default transformer bean with configuration for your custom class.

5. Save this file and restart the Presto Server. See Start and Stop the Presto Server for instructions.