Authenticating Datacap Web Client users with IBM Security Access Manager

Datacap Web can decode WebSEAL directed headers and use the information that is provided in the headers to authenticate the Datacap user. The extracted identity information is used to retrieve the LDAP group information for that user by using an LDAP directory bind. Complete the following steps to authenticate users who are authenticated in Security Access Manager.

Security Access Manager configuration

For Security Access Manager to be able pass the user information in the HTTP Header, you must configure a path between the WebSEAL server and the IIS server that hosts Datacap Web Server. The WebSEAL server uses the iv-user header value to send the user information.
To configure a path between WebSEAL and Datacap Web, type the following command on the WebSEAL side:
"server task default-webseald-server create -t tcp 
   -h mywebserver.com -p 80 -c iv-user,iv-groups/junction"
Alternatively, you can use an SSL connection to create a secure connection between WebSEAL and Datacap Web by using the pdadmin command and typing the following on the WebSEAL side:
"server task default-webseald-server create -f -t 
   ssl -h mywebserver.com -p 443 -c iv-user,iv-groups/junction"
where the SSL connection is configured on port 443 on the IIS server that hosts Datacap Web Server.

Datacap Web configuration

Datacap Web integration with WebSEAL requires the use of an LDAP bind. The Datacap LLLDAP plugin that is used to retrieve the LDAP group information of the user requires the following LDAP information:
  • LDAP Server ID and Port Number
  • LDAP Bind User ID and Password
  • Group Search Filter Name
  • Group Base Domain Name (DN)
  • User Search Filter Name
  • User Base Domain Name (DN)
This LDAP information is used to populate the Datacap Server LLLDAP Authentication path template.
For example:
Server:389/BindUser:cn=binduser?BindPw:mypassword?ValidateUser:Off?UserBaseDn:cn=mydomain?UserSearchFilter:
   (&(objectClass=organizationalPerson)(uid=<%user%>)) ?UserShortNameAttr:cn?
UserDisplayNameAttr:uid?GroupBaseDn:cn=mydomain
?GroupSearchFilter:(&(objectClass=groupOfNames))?GroupShortNameAttr:cn?GroupDisplayNameAttr:cn
?GroupMembershipSearchFilter:(&(objectClass=groupOfNames)(member=<%user%>))
Attention: The ValidateUser:Off parameter directs the LLLDAP plug-in to skip authentication of the users credentials and move to group retrieval. This flag is optional and is not required for WebSEAL integration. If this flag is enabled, it applies to all of the users who are authenticated through the Datacap Server that are using LLLDAP.

Datacap Security Access Manager authentication process

Datacap users are authenticated by using the iv-user header value in Security Access Manager instead of the user name and password. The WebSEAL server controls the access to the Datacap Web URLs. After a successful authentication of the user credentials, WebSEAL forwards the Datacap Web URL to the user.
The following steps describe the authentication process:
  1. Datacap Web aspx page extracts user identity information from the iv-user value in the HTTP header and passes the user id to Datacap Server. The Datacap Server processes the user id and passes it to Datacap LLLDAP authentication plugin.
  2. The Datacap LLLDAP plugin retrieves the LDAP group information of the user by using the directory information that is listed in Datacap LLLDAP authentication template.
  3. Once the LDAP group information is retrieved, the Datacap LLLDAP plugin populates the group list and passes it to the Datacap Server.
  4. The Datacap Server validates the group list against the Administration database.
  5. Datacap Web presents the user with the login page with the user id and password fields greyed out. Only the application and station fields are enabled. Once the user has selected the application, the application name is matched against the user groups in the Administration database and the user is presented with the validated workflows.

Switching between Datacap applications

To switch between Datacap applications:
  1. Click Logout on the Datacap page. The Datacap Login page is displayed with the User ID and Password fields greyed out. Select another Datacap application and enter the Station Number. WebSEAL passes the same iv-user header value to the Datacap Web Login page where you are authenticated against the selected Datacap application.

Installing the Datacap modules

You must copy the new Datacap dll files over the existing Datacap installation.
  1. Copy the new dctmlll.dll file with the LLLDAP changes to the C:\Datacap directory.
  2. Open a command window and run the following command:
    regsvr32 dctmlll.dll
  3. Copy the new App_Web_edlogin.ascx.cdcab7d2.dll file with the Datacap Web changes to the C:\Datacap\tmweb.net\bin directory.
Parent topic: Configuring authentication for Datacap