Difference between revisions of "Setting Up Single Sign-On for the Web Client v8.x"

Setting Up Single Sign-On for the Web Client

It is possible to set up a Web Client single-sign-on mechanism that will allow analysts in one or more domains of an organisation to access the Web Client without having to explicitly enter their login credentials. Instead of displaying the login page at the Web Client URL, the system authenticates transparently against the user's Windows network credentials and takes the user directly to the Web Client home page.

Note: It is assumed that each analyst who uses the Web Client and requires single sign-on has either the Active Directory or NT means of Windows authentication specified in their Supportworks analyst record. Other authentication options are not supported for single sign-on.

The key to single-sign-on capability is the Apache Web Server's SSPI module. This allows a Web-based application to authenticate using any of the authentication protocols built into the Windows Security Support Provider Interface.

The procedure for setting up single sign-on for the Web Client comprises a series of checks and adjustments performed in three separate areas of the system:

▪ Web server configuration ▪ One of the Web Client PHP files ▪ Main server configuration

In addition, it is worthwhile checking that certain local-intranet security options are set on any Web browsers that are expected to connect to the Web Client.

These sets of checks and adjustments are detailed in the following sections.

Checks/Adjustments to Perform in the Web Server Configuration

Carry out the actions relating to Web server configuration as follows:

1. Open the text file ...\Hornbill\Core Services\Apache\conf\cs\httpd.conf for editing. 2. Locate the line:#Include conf/extra/httpd-default.conf and remove the leading # character 3. Locate the following lines, and remove the leading # (if required):

LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_user_module modules/mod_authz_user.so

4. Add the following entry at the end of the LoadModule list:

LoadModule auth_ntlm_module modules/mod_authn_ntlm.so

5. Save and Close the file 6. Open the text file ...\Hornbill\Core Services\Apache\conf\extra\httpd-default.conf for editing. 7. Locate the following lines and change the values as given below:

Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 1

8. Save and Close the file 9. Create a new file located: ...\Hornbill\Core Services\Apache\conf\cs\core\ called

503_vhost.sw.conf

10. Add the following:

1. Webclient single sign on configuration

<Directory "C:\Program Files\Hornbill\Supportworks Server\html\webclient\sspi"> AllowOverride None AuthType SSPI AuthName "Company-name" NTLMAuth On NTLMAuthoritative On NTLMPerRequestAuth On NTLMOfferBasic On NTLMDomain top-level-domain-name require valid-user </Directory>

11. Save the file

Note that you must use the directory path that applies to your Supportworks installation, the company name that applies in your case, and the network domain where the analysts' Windows accounts reside. The domain name should just be that of the lowest-level domain. For multipledomain support, your network administrator must ensure that the domains concerned have trust relationships with the domain you specify here.

12. Restart the Web server (ApacheServer).

Checks/Adjustments to Perform in the Relevant Web Client PHP File

Here is the procedure to carry out on the Web Client module itself (within the Supportworks server):

1. Open the text file ...\Hornbill\Supportworks Server\html\webclient\php\_wcconfig.php and uncomment the following line:

define("_WC_TRUSTEDLOGON",true);

2. If your Windows network is set up to use Active Directory for authentication and the User Principle Name (UPN - which may contain spaces and other characters not allowed in analyst IDs) is not identical to the corresponding analyst ID, then uncomment the following lines as well:

define("_WC_UPN_SUPPORT",true); define("_WC_TOPLEVEL_DOMAIN","top-level-domain-name");

(where top-level-domain-name comprises the last two components of the domain name - for example, hornbill.com)

Also, in this case, you must ensure that the Active Directory means of authentication and the relevant fully qualified User Principle Name (UPN) are specified in each of the Supportworks analyst records.

3. Save the _wcconfig.php file.

Adjustments to Perform in the Main Server Configuration

To allow trust checking to occur between the Supportworks main server and the Web server, you have to configure the main server for "trusted authentication". Instructions are given in the chapter of the Supportworks ESP Configuration Guide entitled Configuring the Server for Trusted Authentication.

Analysts in the relevant domains should now be able to access the Web Client transparently. However, a lot depends on your environment, security settings and so on, so the above as given may not necessarily work. If analysts are having problems, you should at least check the browser-based settings indicated in the following section.

Checks to Perform in a Web Browser's Internet Options

The Internet options you will be checking here would normally have been set as defaults in your domain policy. Follow these instructions on an individual Web browser:

1. Select Tools > Internet Options and click the Security tab.

2. Select the "Local intranet" zone.

3. Click the Sites button, followed by Advanced.

4. In the list of websites, ensure that you can see the DNS name or IP address of the Supportworks Web server. If not, then add it to the zone.

5. Click Close and then OK.

6. With "Local intranet" still selected, click the "Custom level" button.

7. Scroll down to the User Authentication > Logon section.

8. Ensure that "Automatic logon only in Intranet zone" is selected.

9. Click OK and then OK again.

10. Restart the Web browser.

If there are still problems after this, please contact the Support Team for assistance.