What is necessary to implement Single Sign-On (SSO) over IBM TRIRIGA product?

Answer

For the purpose of this document SSO refers to Single Sign On meaning a single set of credentials stored in a directory server. References to SSO in this document DO NOT refer to Seamless Sign On where a user is not challenged for their credentials once they have authenticated to the network. All aspects of TRIRIGA may not be compatible with use seamless sign on even if it is configured. Functionality using applets (example CAD Integrator) may continue to challenge for credentials. Seamless sign on and Secure Socket Layer (SSL) are technologies unrelated to the TRIRIGA product and are configured at a layer prior to accessing TRIRIGA.

This is the check-up list you need to follow for implementing SSO for your IBM TRIRIGA solution:

S01) Configure your Web Server, Application Server and Authentication Security product you have for SSO configuration. This is a steps out of IBM TRIRIGA Support scope, requiring you to contact your system administrator or 3rd party vendor support for that. This will comprehend:

a) Make sure you have all details for connecting to your Directory Server, where the domain and profile user database is located. You need the connection information for configuring your Web Server, Application Server and Authentication Security product further;

b) Configure your Web Server, Application Server and Authentication Security product for challenging the Internet Browser session for getting the required credential information (user & password, OS login pop-up window). when this is entered the user name & password (credential) is checked against the Directory Server, and if you've got a valid credential, these components need to created a valid token and update on the HTTP header filling user name in it, using the available supported methods: Remote User, User Principal or HTTP Header. See more information on : Requirements for single sign-on requests in the TRIRIGA Application Platform

c) Confirm the HTTP header inserting user name method you have in place, by using the http: // <frontEndServer.mycompany.com> / <tririga-context> /html/en/default/admin/requestTest.jsp SSO troubleshooting URL (you need to replace the host name, port and context accordingly on this URL link based on the specifics of your system). See more information on how to interpret this URL output and action on the next steps, reading from this IBM Wiki page: Troubleshooting SSO

d) Configure the IBM TRIRIGAWEB.properties SSO properties file accordingly, based on the output information you get for step (c) above. For more information on the SSO properties available for TRIRIGA, please read this IBM Wiki page: IBM® TRIRIGA® single sign-on properties

e) Make sure the user name in the HTTP request header has exactly match with the user name that is stored in the IBM TRIRIGA database. When configured properly, IBM TRIRIGA reads the user name from the HTTP request header and internally authenticates it against the IBM TRIRIGA database. In other words, you need to create the user, setting up its profile & security, before using SSO authentication against it. A good check-up action before using SSO for this user, would be logging natively to IBM TRIRIGA using this same user(without SSO in place), making sure you have a good log-in even before using SSO.

Other considerations about SSO configuration follow:

i. If you are using a web server to provide the authentication portion, disable the HTTP port on the application server after the web server configuration completes. Keeping the application server's HTTP port open might create a vulnerability point. If the HTTP port is not disabled and the user goes to that port, the user is prompted for their credentials and the user name and password are verified in the IBM TRIRIGA database.

ii. For TRIRIGA® CAD Integrator/Publisher and the IBM® TRIRIGA reservation add-in for Microsoft Outlook, you must make sure that your environment provides a mechanism for basic authentication. Most SSO solutions provide a way for non-browser clients to authenticate by using basic authentication or NTLM authentication. See your SSO provider documentation for the proper authentication configuration.

iii. IBM TRIRIGA is compatible with SSO when SSO is configured properly. After the appropriate IBM TRIRIGA properties are enabled for SSO, IBM TRIRIGA can accept tokens that are provided by properly configured application servers with SSO. IBM Support can assist with configuring IBM TRIRIGA properties for SSO. However, due to the number of supported products, technologies, and configurations that are supported by IBM TRIRIGA, IBM Support cannot help with the configuration of SSO within your environment.

For more information about SSO, please read the following IBM Wiki pages:

SSO

SSO Compatibility

Requirements for single sign-on requests in the TRIRIGA Application Platform