Single Sign On
Marten edited this page Jul 28, 2014
·
6 revisions
Pages 202
- Home
- 2009 Esri Federal UC
- 2009 Esri International UC
- 2010 Esri Federal UC
- 2010 Esri International UC
- 2011 Esri Federal UC
- 2012 Esri Federal UC
- 2013 Esri Federal GIS Conference
- 2013 Esri International User Conference
- 2015 SDI Special Interest Group
- Add a Custom Profile
- Add an OpenSearch endpoint for Federated Search
- Add Another Tab to the Geoportal Interface
- Add Custom Link to a Search Result
- Add Custom Search Criteria
- Add the Geoportal Search to a List of Search Providers
- Add v1.1.1 FGDC editor to a previous Geoportal release
- AGP TO AGP Harvesting with the Geoportal
- AGS TO AGP Harvesting with the Geoportal
- All gpt.xml file settings
- An Introduction to vi
- Apache Tomcat geoportal logging
- Being a Good Robot
- Best Practice for Edits to JSP files
- Biological or Remote Sensing FGDC xsds
- Browse Tree
- Cart Processor
- Catalog Service
- Clear the Tomcat Work Folder
- Collections
- Common problems and solutions
- Communities and live examples
- Components
- Configure a Directory Server for the Geoportal
- Configure geoportal User and Schema in the PostgreSQL Database
- Configure Previewable Filetypes
- Configure Searching of YouTube
- Configure the gpt.xml File
- Configure Widgets
- Connecting to a User Directory
- Create a user account
- Create Relationships between Resources
- Customizations
- Customize DCAT output
- Customize Metadata Validation
- Database problems
- Database Tables
- DataDownload Tab
- Deploy and Configure the Geoportal Web Application in Tomcat
- Deploy and Configure the Servlet Web Application
- Deploy the Geoportal Web Application
- Details of Lucene Indexing in the Geoportal
- Development topics
- Discovering Resources
- Eclipse Project from Compiled WAR
- Eclipse Project from Source Code
- Enable Search Using an Ontology Service
- Error Messages in the Geoportal Web Application
- Esri Geoportal Server LiveDVD
- Extending the Web Harvester
- Federated Search in Portal for ArcGIS
- Feedback
- FGDC Biological Profile and Remote Sensing Extension
- FGDC Service Checker Integration
- Geoportal Clients for ArcGIS
- Geoportal CSW Clients
- Geoportal Facets using Apache Solr
- Geoportal genie
- Geoportal Project from Compiled WAR
- Geoportal Publish Client
- Geoportal Server 1.2.5 What's New
- Geoportal Server 1.2.6 What's New
- Geoportal Server 1.2.7 What's New
- Geoportal server as a broker
- Geoportal Server Downloads
- Geoportal Server v 1.0 What's New
- Geoportal Server v 1.1 What's New
- Geoportal Server v 1.1.1 What's New
- Geoportal Server v 1.2 What's New
- Geoportal Server v 1.2.2 What's New
- Geoportal Server v 1.2.4 What's New
- Geoportal SPARQL Sample
- Geoportal User Interface Components
- Geoportal Web Application File Organization
- Geoportal XML Editor
- Get Assistance with an Implementation
- GXE Concepts
- GXE Crash Course
- GXE Structure
- GXE Workflow
- High Availability and Large Number of Records
- How to Browse for Resources
- How to Create and Manage My Profile
- How to find all documents of a particular metadata standard
- How to Leave a Resource Review
- How to Login and Manage my Password
- How to Manage and Edit Resources
- How to Publish Resources
- How to Restrict Access to Resources
- How to Search for Resources
- How to Search with an Ontology Service
- How to Set Up an Esri Geoportal Server on Linux
- How to Use Search Page Results
- How to Use the Data Download Feature
- How to View Resource Relationships
- IDE Topics
- Identity Components LDAP and Single Sign On
- Index All Metadata Content
- Indexing and Searching the Time Period of the Content
- Install Apache Tomcat 6
- Install Desktop Tools
- Install Esri Geoportal Server
- Install PostgreSQL 9.1.2
- Install the JDBC .jar Files
- Installation
- Installation Version 1.0
- Installation Version 1.1
- Installation Version 1.2
- Installation Version 1.2.2
- Installation Version 1.2.4
- Installation Version 1.2.5
- Installation Version 1.2.6
- Installation Version 1.2.7
- Installation Version 1.2.8
- Integrate with a Content Management System
- Integrate with the con terra Security Solution
- Localization
- Log In to the Geoportal
- Logging
- Look and Feel of the User Interface
- Main Page
- Map LDAP Attributes on the Registration Page
- Map Viewer
- Online form editing for all publication methods
- Open source acknowledgements
- Oracle WebLogic geoportal logging
- Orientation to the Create Metadata Page
- Perform Preinstallation Computer Setup
- Portal for ArcGIS Integration
- Post Deployment Actions
- Preinstallation
- Preinstallation 0.9
- Preinstallation 1.0 and 1.1.x
- Preinstallation 1.2
- Preinstallation 1.2.2
- Preinstallation 1.2.4
- Preinstallation 1.2.5
- Preinstallation 1.2.6
- Preinstallation 1.2.7
- Preinstallation 1.2.8
- Preview Function
- Publication Components
- Ratings and Comments for Search Results
- Register ArcGIS for Server with the Geoportal
- Release notes
- REST API Syntax
- Sample FGDC metadata.xml
- Scheduled tasks
- Search Components
- Search Map
- Search Widget for Flex
- Search Widget for HTML
- Search Widget for Silverlight
- Security Concepts
- Set Up Systemwide Environment Variables
- Set up the Geoportal Database
- Share Link
- Single Sign On
- Smoketest the Geoportal
- Standards Support
- Supported CSW Profiles for Synchronization
- Theme Library
- Troubleshooting
- Troubleshooting Tips
- Two geoportals on the same server
- Upgrade 1.x to 1.2 database
- Upgrading file system approach
- Upgrading Read This Overview
- Upgrading SVN approach
- Url filter customization
- Use an XSLT to Render the Details Page
- Use Ant to build Geoportal
- User Functions and Roles
- User Management Interface
- Using a geoportal
- Using Lucene Search Text Queries
- Version 0.9
- Version 1.0
- Version 1.1
- Version 1.1.1
- Version 1.2
- Version 1.2.2
- Version 1.2.4
- Version 1.2.5
- Version 1.2.6
- Version 1.2.7
- Version 1.2.8
- What is a geoportal and the geoportal server
- What is the esri geoportal server
- What's New
- wiki template
- WMC Client
- Show 187 more pages…
Clone this wiki locally
Single sign-on allows users to login once to a software application and gain access to multiple software systems without being prompted to login again. If you configure single sign-on for your Content Management System (CMS) or any other pages you add, users of your geoportal will only need to login one time to access all the single sign-on enabled applications.
Note: The instructions provided below are suggestions according to how SSO was configured during testing. Your organization may require a different procedure depending on your servlet container software, other applications using SSO, security policies and other considerations.
Tomcat LDAP and Single Sign-On Configuration Instructions
This single sign-on configuration is tested against Tomcat 5.5.17, and assumes that you have already configured users through LDAP, as per the geoportal installation guide. If you have set up LDAP, then proceed with the following steps to enable single sign-on. You will need to make changes to both your Tomcat server.xml file and your geoportal web application configuration file.
Modify the Tomcat server.xml File
- Navigate to the <TOMCAT>\conf folder and open the server.xml file in a text editor.
- Find the section where the <Realms> are defined. This can be under the <engine></engine> element or the <host> element; where you define realms depends on the other web applications that you deploy in your system that are not necessarily related to the geoportal. In the following example, we place the <realm> element within <host></host>. If are found under the <engine></engine> element, replace all references to <host></host> for <engine></engine> in the instructions that follow. For more information, please refer to Apache Tomcat documentation.
- Paste the following <realm> element in the <host> section. Make sure to change the values of the attributes to match your LDAP settings. The attributes are described below. The example shows typical settings for Apache Directory Server.
- connectionName: LDAP administrator connection distinguished name.
- connectionPassword: LDAP administrator connection password
- connectionURL: LDAP connection URL
- roleBase: element that is the base of the search for matching roles. The example below is defining a structure where "groups" are defined under "system" in the active directory tree.
- roleName: attribute name of the role/group. Default: cn
- roleSearch: an expression used to search for role/group elements in the roleBase context. The search will find those roles/groups that contain a given username, with {0} being a placeholder for the username.
- userPattern: The pattern of the distinguished name for users.
<Realm
className="org.apache.catalina.realm.JNDIRealm"
connectionName="uid=admin,ou=system"
connectionPassword="password"
connectionURL="ldap://myServer:10389"
debug="99"
roleBase="ou=groups,ou=system"
roleName="cn"
roleSearch="(uniquemember={0})"
userPattern="cn={0},ou=users,ou=system"/>- Paste the following <valve> element also within the <host> section:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
- Save the file.
Update the geoportal gpt.xml file
- Activate single sign-on in the gpt.xml file:
- Navigate to the <TOMCAT>\webapps\geoportal\WEB-INF\classes\gpt\config folder and open gpt.xml in a text editor.
- Find the <singleSignOn> element
- Set its "active" attribute to "true", as shown here:
<singleSignOn active="true" ...- Verify that in the section in gpt.xml, the searchDIT distinguished name matches the roleBase distinguished name specified in the Tomcat server.xml <realm> element you configured earlier. For Apache Directory Server, both could be "ou=groups,ou=system".
- Save the file.
Modify the web.xml File
- Navigate to <TOMCAT>\webapps\geoportal\WEB-INF and open web.xml in a text editor.
- Insert the following <security-constraint> snippet in web.xml, right before the closing web-app tag:
<security-constraint>
<web-resource-collection>
<web-resource-name>login</web-resource-name>
<description>login</description>
<url-pattern>/catalog/identity/login.page</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access</description>
<role-name>gpt_administrators</role-name>
<role-name>gpt_publishers</role-name>
<role-name>gpt_registeredUsers</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Restricted content</realm-name>
<form-login-config>
<form-login-page>/catalog/identity/loginJsc.page</form-login-page>
<form-error-page>/catalog/identity/loginJsc.page?error=true</form-error-page>
</form-login-config>
</login-config>- Also insert the following <security-role> block like below in web.xml:
<security-role>
<role-name>gpt_administrators</role-name>
</security-role>
<security-role>
<role-name>gpt_publishers</role-name>
</security-role>
<security-role>
<role-name>gpt_registeredUsers</role-name>
</security-role>- Save the file and close it.
- Restart Tomcat.
Weblogic LDAP and Single Sign-On Configuration Instructions
This single sign-on configuration is tested against Weblogic 10.3.1, and assumes that you have already configured users through LDAP, as per the geoportal installation guide. This example also assumes that your LDAP is configured with Apache Directory Server. Directions below may need adjustment for other Directory Server vendors. If you have set up LDAP, then proceed with the following steps to enable single sign-on. You will need to make changes from within the Weblogic Administration Console to the security realm. For more detailed information on security realms visit the Weblogic Website.
Create the Security Realm
- Login to the Weblogic Server Administration Console.
- Click Security Realms under the Domain Structure table of contents.
- Select myrealm from the table.
- Click the Providers tab.
- Select New.
- Input the name of the Authentication provider. In this example we will use geoportal as the name.
- Select the Type from the dropdown. In this example for Apache Directory Server, select the LDAP Authenticator. If you are using a different Directory Server vendor, you'll need to select a type that corresponds to that vendor.
- Click Ok. The new provider will be added to the list of authenticated providers.
- Once you have completed these steps you will now have to edit the new provider information to match your current LDAP configuration. Click the new provider.
- Select the Provider Specific tab. You will need to update certain fields with information from your LDAP. Fields not mentioned below should be left as their default values. The example shows typical settings for Apache Directory Server:
- User Name Attribute: The attribute of an LDAP user object that specifies the name of the user. default: uid.
- Principal: DN of LDAP user Weblogic uses to connectr to LDAP.
- Propogate Cause for Login Exception: make sure that this is checked.
- Host: The host name or IP address of the LDAP server.
- Use Retrieved User Name as Principal: make sure that this is checked.
- Credential: password used to connect to LDAP server.
- Confirm Credential: confirmation of password.
- Group Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains groups. Note: write this down for a future step.
- User Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains users.
- Port: The port number on which the LDAP server is listening.
- Click Save.
Alter the DefaultAuthenticator in myrealm
Weblogic has its own security provider that protects weblogic resources, that provider is called DefaultAuthenticator. You will need to adjust the Control Flag setting of the DefaultAuthenticator.
- Click Security Realms under the Domain Structure table of contents.
- Select myrealm.
- Click the Providers tab.
- Select DefaultAuthenticator.
- Select Sufficient from the Control Flag dropdown.
- Click Save.
Modify the geoportal gpt.xml File
- First, you will activate single sign-on in the gpt.xml file by doing the following:
- Navigate to the \\geoportal\WEB-INF\classes\gpt\config folder and open gpt.xml in a text editor.
- Find the <singleSignOn> element, and set its active attribute to true, as shown here:&amp;amp&#59;amp&amp;&#35;59&#59;lt&amp;amp&#59;&amp;&#35;35&#59;59&amp;&#35;59&#59;singleSignOn active&amp;amp&#59;amp&amp;&#35;59&#59;&amp;amp&#59;&amp;&#35;35&#59;35&amp;&#35;59&#59;61&amp;amp&#59;&amp;&#35;35&#59;59&amp;&#35;59&#59;&amp;amp&#59;amp&amp;&#35;59&#59;quot&amp;amp&#59;&amp;&#35;35&#59;59&amp;&#35;59&#59;true&amp;amp&#59;amp&amp;&#35;59&#59;quot&amp;amp&#59;&amp;&#35;35&#59;59&amp;&#35;59&#59; ...
- Verify that in the section in gpt.xml, the searchDIT distinguished name matches the Group Base DN that you entered earlier when configuring the security realm. For Apache Directory Server, both could be ou=groups,ou=system.
- Save the file.
Modify web.xml
- Navigate to the \\geoportal\WEB-INF folder and open the web.xml file in a text editor.
- Insert the following <security-constraint> and <securityrole> block in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>login</web-resource-name>
<description>login</description>
<url-pattern>/catalog/identity/login.page</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access</description>
<role-name>gpt_administrators</role-name>
<role-name>gpt_publishers</role-name>
<role-name>gpt_registeredUsers</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myRealm</realm-name>
<form-login-config>
<form-login-page>/catalog/identity/loginJsc.page</form-login-page>
<form-error-page>/catalog/identity/loginJsc.page?error=true</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>gpt_administrators</role-name>
</security-role>
<security-role>
<role-name>gpt_publishers</role-name>
</security-role>
<security-role>
<role-name>gpt_registeredUsers</role-name>
</security-role>- Save the file and close it.
- Restart Weblogic.