12 Replies Latest reply on Mar 1, 2018 5:53 AM by BKallweit

    SSO Configuration for ISM

    Sapsan Apprentice

      Hi community,

      Could you please to explain for me the best way to implement SSO for ISM.

      I've a simple case for my customer to show SSO authorization only in ISM.

      I've a demo server with ISM based on Windows 2008 R2 Server and Windows Domain Controller.

      I need to login demo server ISM via my domain account and start ISM without any other authorisation.

       

      What is a best way to configure and set params ?

      Do you know how to implement SSO in Windows environment ?

        • 1. Re: SSO Configuration for ISM
          avivaldi Apprentice

          I find very usefull this article:

           

          How to configure dual login into HEAT: SSO internally and form authentication externally

           

          Obviously you have to set the SSO configuration for all the users: flag the

          1 of 1 people found this helpful
          • 2. Re: SSO Configuration for ISM
            Sapsan Apprentice

            Thanks for your reply!

            I'll check it later.

            • 3. Re: SSO Configuration for ISM
              avivaldi Apprentice

              check also the internet option about "user authentication" to permit (or not) the automatic login to your browser with your windows credentials

              • 4. Re: SSO Configuration for ISM
                Sapsan Apprentice

                During installation some parameters and configurable setting are present at System Configuration Wizard (like SSL and Domain Name)

                I've had installed ISM without SSL and use only HTTP connection

                Do I need also after my server join to Domain Reconfigure ISM by System Configuration Wizard for SSO operation ?

                Or I just need to configureparameters under ISM directly ?

                • 5. Re: SSO Configuration for ISM
                  Sapsan Apprentice

                  I've done by instruction described above but unfortunantely for me SSO couldn't access me.

                  I'm use FireFox and Chrome Browser to login

                  Via Chorme I've get message like

                   

                  Authentication

                   

                  Saml Request validation

                   

                  SamlRequest

                  more...

                  Post Url

                   

                  Auto Provisioning

                   

                  SamlResponse signature

                   

                  SamlResponse

                  more...

                   

                  And by FireFox

                  I've get stuck browser window.

                   

                   

                  My application server is not in Domain, but all of instruction steps were completed.

                   

                  And now http://myservername/HEAT redirect to http://myservername/HEAT/WIS and I'm not able to login into system

                   

                  What should be done to normally setup SSO ?

                  • 6. Re: SSO Configuration for ISM
                    Sapsan Apprentice

                    I assume that problem with certificate, because my setting for Authentication providers is not contain certficate.

                    Please explain how to create certificate for external user authorisation ?

                    • 7. Re: SSO Configuration for ISM
                      BKallweit Apprentice

                      For SSO to work you would need your Heat connect to your AD.

                      I never tried a domain-less setup for Heat; typically, the Heat server is member of a domain, and preferably (though probably not neccessarily) your Heat processes and app pools run with a domain account. Next thing I typically do is prepare an LDAP import to load AD users into Heat. The import process will (among other things) set up an appropriate Authentication Provider and as a result users can log in to Heat using their domain user name and domain password. You wouldn't want to maintain this data in Heat, I suggest.

                      This is not quite SSO. You can then define an additional Authentication Provider for WIS (and make it default), which will log in users automatically to Heat provided they are already authenticated to the domain. There might be a few things to configure in your browser for this to work.

                       

                      Please have a look at the documentation, which explains all this in detail!

                      • 8. Re: SSO Configuration for ISM
                        Sapsan Apprentice

                        Well it seems to me that I need to do:

                        1. Join my application server into domain

                        2. Find in somewhere how to create correct certificate to external authorisation

                        3. Check login via WIS

                         

                        Right now I've jus get an error like

                        Authentication

                        Authentication succeeded

                        Domain: MyServerName

                        Authenticated user: MyServerName\Administrator

                        Saml Request validation

                        Received an authentication request

                        Authentication request validated successfully

                        SamlRequest

                        more...

                        Post Url

                        http://localhost/HEAT/handlers/sso/SamlAssertionConsumerHandler.ashx

                        Auto Provisioning

                        Auto Provisioning is disabled.

                        SamlResponse signature

                        Failed to sign the SamlResponse

                        To sign the SamlResponse upload certificate and specify its path and password in the Web.config

                        SamlResponse

                        more...

                        • 9. Re: SSO Configuration for ISM
                          BKallweit Apprentice

                          1. yes, that' probably helpful; I would suggest to do it right away.

                          2. you don't have to deal with any certificates for SSO, Heat uses some SAML code that does all that behind the scenes.

                          3. don't understand.

                           

                          I try in brief:

                          To be able to login to Heat a user needs an account in Heat, perhaps set up using the employee business object. Of course, the account needs a role, like ServiceDesk Analyst, to be able to do anything in Heat.

                          Heat allows for internal authentication, which basically means that Heat stores (and maintains) a userId and a password. The user is authenticated by Heat against the values stored in the Heat database. HeatAdmin is a typical example for an such internal user.

                          Heat allows for external authentication as well; in this case Heat hands the credentials of a user to an authentication provider to have them checked. In most cases this will be a domain controler which you would need to configure.

                          If you do the LDAP import, as I suggested, Heat will create user records for you and link them with the appropriate authentication provider, which it will create as well. The LDAP import will also assign a role to an account.

                          WIS is some kind of add-on to extenal authentication.

                          In all the external authentication Heat uses certain protocols, like SAML. But this is transparent to you.

                           

                          Please, work this through wit your implementation patner!

                          1 of 1 people found this helpful
                          • 10. Re: SSO Configuration for ISM
                            Sapsan Apprentice

                            Many thanks for your response!

                            I'm going to chek my environment and login via WIS

                            • 11. Re: SSO Configuration for ISM
                              Sapsan Apprentice

                              Bernd, thanks for your help.

                              I've completely done to setup SSO anything is going well with authorisation.

                              Finally I would like to know last moment.

                              Is it possible to setup timeout to session for user ?

                              For exmple user login with SSO and after 5 minutes not any activities from them. ISM need to kickout user by timeout. How it could be possible ?

                              • 12. Re: SSO Configuration for ISM
                                BKallweit Apprentice

                                Sapsan,

                                 

                                you can set the session timeout in the AdminUI (click on the Configure Application link top right when logged in as Admin) under Configure -> Security and Session. You may find a 5 minute timeout a bit restrictive, perhaps 30 minutes is a more reasonable approach. But you'll find out yourself.

                                 

                                Good Luck!