Configuring Single Sign On
This article introduces a simple Single Sign-On (SSO) configuration for opentaps in a Windows network. In our solution, opentaps is deployed on Tomcat 5.5 behind Microsoft Internet Information Server (IIS) 6 on a Windows 2003 Server. IIS 6 is configured to use the Integrated Windows Authentication (IWA) mechanism to authenticate HTTP requests. When a Windows network user successfully authenticates with IIS, the network user ID is added to the requests by IIS, which can be used by opentaps to create the user login context required to access various opentaps resources.
This solution assumes that a corresponding user login exists in opentaps for each Windows network user who wishes to have access to opentaps application, and that the user is granted with appropriate opentaps security permissions. For details on how to configure opentaps users and permissions, refer to Wiki page at http://www.opentaps.org/docs/index.php/Configuring_Users_and_Permissions. We will show you step-by-step on how to configure IIS 6 and opentaps to support SSO in the following sections.
This article assumes that you are reasonably familiar with the Microsoft Internet Information Services, and you have already installed IIS 6.
To connect IIS to the opentaps Tomcat server, we will leverage the Apache Tomcat Connector which can be downloaded at http://tomcat.apache.org/connectors-doc/index.html. The Tomcat connector is an IIS ISAPI plug-in which allows IIS to send JSP and Servlets requests to opentaps. In this configuration example, all the Tomcat connector files are stored or created in <OPENTAPS_HOME>\jakarta.
1. Creating the worker file workers.properties
The worker file is used by the Tomcat connector to locate the opentaps Tomcat server. The following example will create an IIS worker process called erpdev which connects to the opentaps Tomcat server on Port 8009 using AJP 1.3.
worker.list = erpdev worker.erp.type = ajp13 worker.erp.host = localhost worker.erp.port = 8009
2. Creating the URI worker mapping file uriworkermap.properties
The following URI mappings allow IIS to send every HTTP request to the opentaps server except the default Home page and those with the opentaps_images context.
/*=erpdev !/opentaps_images|/*=erpdev !/default.htm=erpdev
3. Creating the ISAPI redirect file isapi_redirect.properties
This configuration file tells the Tomcat connector where to find the worker file and the URI worker mapping file that we created in the above steps.
# The Path to the ISAPI Redirector Extension, Relative to the website. # This must be in a virtual directory with execute privileges extension_uri=/jakarta/isapi_redirect.dll #Full Path to the Log File for the ISAPI Redirector log_file=C:\Progra~1\openta~1\runtime\logs\isapi_redirect.log #Log Level (debug, info, warn, error or trace) log_level=DEBUG #Full Path to the workers.properties File worker_file=c:\Progra~1\openta~1\jakarta\workers.properties #Full Path to the uriworkermap.properties File worker_mount_file=c:\Progra~1\openta~1\jakarta\uriworkermap.properties worker_mount_reload=300 reject_unsafe=1 strip_session=1
4. Configuring ISAPI Redirector
In this step, we are going to configure IIS to use the ISAPI filter to redirect the opentaps requests.
- Open the Internet Information Services Manager. - Expand the local computer entry, until you see the default Web site. - Right-click on the default Web site and select Virtual Directory from the New menu. - Select the Next button and enter the value jakarta in the Alias text box. - Browse to the directory containing the isapi_redirector.dll file, which in our case should be <OPENTAPS_HOME>/jakarta/ and select the Next button. - Make sure that you have the permissions set to read, run, and execute. - Now continue through the Virtual Directory Wizard, until you select the Finish button at the end. - Finally we need to add the ISAPI Redirector to the default Web site, so right-click on the default Web site and select Properties. - Select the ISAPI Filters tab and press the Add button. - Enter the filter name mod_jk and browse to select the isapi_redirector.dll file. - Now press the OK button until you are back at the Internet Information Services Manager main screen.
In this SSO solution, the default Web site is configured to use Integrated Windows Authentication, so that only the authenticated Windows users will be able to access the opentaps server. For the authenticated user requests, IIS will let them get through. It will also add the user ID to the requests before they are redirected to the opentaps server by the Tomcat connector. We must then turn off opentaps Tomcat server’s own authentication so that opentaps application will be able to retrieve the remote user ID from the HTTP requests and use it to populate the opentaps user login context. This can be achieved by setting the property value of tomcatAuthentication to false in the ajp-container section of framework/base/config/ofbiz-containers.xml as follows.
<property name="ajp-connector" value="connector"> <!-- see http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/ajp.html for reference --> <property name="allowTrace" value="false"/> <property name="emptySessionPath" value="false"/> <property name="enableLookups" value="false"/> <property name="maxPostSize" value="2097152"/> <property name="protocol" value="AJP/1.3"/> <property name="proxyName" value=""/> <property name="proxyPort" value=""/> <property name="redirectPort" value=""/> <property name="scheme" value="http"/> <property name="secure" value="false"/> <property name="URIEncoding" value="UTF-8"/> <property name="useBodyEncodingForURI" value="false"/> <property name="xpoweredBy" value="true"/> <!-- AJP/13 connector attributes --> <property name="address" value="0.0.0.0"/> <property name="backlog" value="10"/> <property name="maxSpareThreads" value="50"/> <property name="maxThreads" value="200"/> <property name="minSpareThreads" value="4"/> <property name="port" value="8009"/> <property name="tcpNoDelay" value="true"/> <property name="soTimeout" value="60000"/> <property name="tomcatAuthentication" value="false"/> </property>
Finally we need to set the property value of password.accept.encrypted.and.plain to true in framework\security\config\security.properties. This will allow the requests with a remote user ID to pass through the opentaps security system.