Configuration for Agent-Based SSO Solutions
With agent-based SSO, the basic flow of authentication and user identity information looks something like this:
Business Analytics delegates authentication to the SSO layer, but expects user identity information from the SSO layer in the request in either an HTTP header or a parameter in the request URL. Business Analytics uses an extractor to find identity information in the header or parameter, and uses a transformer, to derive the user ID from the identity information. Business Analytics then uses the user ID to perform authorization and process the request.
To configure Business Analytics to work with an agent-based SSO layer, you configure the extractor and the transformer layers to work with your SSO solution and the identity information for your environment. Business Analytics provides a default extractor that looks for an HTTP header or parameter by name. Business Analytics also provides default transformers that handles cases where the identity information is just the user ID or can be found within the identity information using a regular expression.
Note: | You can also implement custom extraction or transformation layers to integrate Business Analytics with your SSO solution. See Implementing a Custom SSO Filter for details. |
In previous releases, Business Analytics only supported SSO solutions with LDAP as the Business Analytics User Repository. This restriction no longer applies.
2. Change the SSO filter in the applicationContext-security.xml configuration file for the Business Analytics Server:
a. Open applicationContext-security.xml in any text or XML editor.
This file is located in the web-apps-home/mashzone/WEB-INF/classes folder.
b. Comment out the SSO filter bean (<bean id="ssoProcessingFilter">) for SharePoint (class="com.jackbe.jbp.sas.security.ui.sso.sp.SharepointSSOFilter">).
For example:
<!-- <bean id="ssoProcessingFilter"
>
<property name="authenticationManager" ref="authenticationManager" />
<property name="continueFilterChainOnUnsuccessfulAuthentication"
value="true" />
...
</bean> -->
c. Uncomment the SSO filter bean (<bean id="ssoProcessingFilter">) for agent-based solutions (class="com.jackbe.jbp.sas.security.ui.sso.SSOPreAuthenticatedFilter").
For example:
<bean id="ssoProcessingFilter"
>
<property name="authenticationManager" ref="authenticationManager" />
<property name="continueFilterChainOnUnsuccessfulAuthentication"
value="true" />
...
</bean>
3. In the agent-based SSO filter bean, configure the principalExtractor property:
The default extractor uses a bean with the
HttpHeaderOrParamTokenExtractor class.
<bean id="ssoProcessingFilter"
>
<property name="authenticationManager" ref="authenticationManager" />
<property name="continueFilterChainOnUnsuccessfulAuthentication"
value="true" />
<property name="principalExtractor">
<bean
>
<property name="httpHeaderName" value="SM_USER"/>
</bean>
</property>
...
</bean>
Change the value of the httpHeaderName property for this extractor bean to the name of the HTTP header or parameter that contains user identify information from your SSO solution.
If you have a custom extractor class, replace the default extractor bean with configuration for your custom class.
4. In the agent-based SSO filter bean, configure the principalTransformer property:
The default transformer property uses a bean with the
RegexExtractionStringTransformation class. This uses a regular expression to extract some portion of the value for the SSO header or parameter to get the final user ID that
Business Analytics can use for authorization checks.
<bean id="ssoProcessingFilter"
>
<property name="authenticationManager" ref="authenticationManager" />
<property name="continueFilterChainOnUnsuccessfulAuthentication"
value="true" />
<property name="principalExtractor">
<bean
>
<property name="httpHeaderName" value="SM_USER"/>
</bean>
</property>
<property name="principalTransformation">
<bean
>
<constructor-arg index="0" value="CN=(.*?),"/>
</bean>
</property>
</bean>
If the value of the SSO solution header or parameter contains more than just the user ID, for example a full DN from LDAP for a user, you can change the regular expression in the <constructor-arg/> parameter for the default bean to extract the user ID. The default regular expression extracts the CN portion of a user DN from an LDAP Directory.
If the value of the SSO solution header or parameter is just the user ID, no further transformation is needed. Change the principalTransformer bean to do nothing using the NoOpStringTransformation bean:
<bean id="ssoProcessingFilter"
>
<property name="authenticationManager" ref="authenticationManager" />
<property name="continueFilterChainOnUnsuccessfulAuthentication"
value="true" />
<property name="principalExtractor">
<bean
>
<property name="httpHeaderName" value="SM_USER"/>
</bean>
</property>
<property name="principalTransformation">
<bean
/>
</property>
</bean>
If you have a custom transformation class, replace the default transformer bean with configuration for your custom class.