Enabling third party authentication and single sign-on (SSO) in Inspector

This procedure describes how to enable third party authentication for MDM Inspector.

About this task

To enable third party authentication for MDM Inspector, you must take the following configuration changes.

Note: MDM Inspector uses MDM operational server for authentication. Therefore, to enable SSO for MDM Inspector, you must follow the steps that are mentioned in Enabling third party authentication and single sign-on (SSO). This is to enable the SSO for the MDM operational server.
Important: When you apply an InfoSphere® MDM feature pack upgrade, your third party authentication configuration is reverted. Repeat this procedure to reconfigure third party authentication.

Procedure

  1. Go to the inspector\WebContent\WEB-INF\ directory and open the web.xml file in a text editor.
  2. Add the following lines to create an allowlist named whitelist. Replace the <HOSTn> placeholders with the third party authentication URLs: 
    <init-param>
 	    <param-name>whitelist</param-name>
 	    <param-value><HOST1>,<HOST2></param-value>
</init-param>
    For example, for Google TAI HOST:
    <init-param>
 	    <param-name>whitelist</param-name>
 	    <param-value>https://accounts.google.co.in</param-value>
</init-param>
  3. Add the same <init-param> lines to the web.xml files found at the following locations within the WebSphere® Application Server profile home directory:
    • <WAS_PROFILE>/config/cells/<CELL_NAME>/applications/inspector-<INSTANCE_NAME>.ear/deployments/inspector-<INSTANCE_NAME>/inspector.war/WEB-INF/web.xml
    • <WAS_PROFILE>/installedApps/<CELL_NAME>/inspector-<INSTANCE_NAME>.ear/inspector.war/WEB-INF/web.xml
    • <WAS_PROFILE>/wstemp/<RANDOM_NUMBER>/workspace/cells/<CELL_NAME>/applications/inspector-<INSTANCE_NAME>.ear/deployments/inspector-<INSTANCE_NAME>/inspector.war/WEB-INF/web.xml
      Tip: If you cannot locate this third file, delete the <WAS_PROFILE>/wstemp folder instead.
  4. From the <WAS_PROFILE> directory, run the following command: 
    grep -r <HOSTn> *
    Make sure that all web.xml files are properly changed to include the correct allowlist value.
  5. Restart the application server to apply the changes.

Results

After completing these steps, third party authentication is enabled.

Note: If you are using ISAM instead of Google OpenID, you might see the following error that is caused by a missing JEE security role in the web.xml and application.xml files: 
com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4529E The password verification for the 'mpctest101' principal name failed. Root cause: 'javax.naming.AuthenticationException:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839^@]

To resolve this issue, edit both web.xml and application.xml to add the required security parameters:

  1. Update web.xml to add the parameters highlighted in bold type. 
    <security-constraint>
     <web-resource-collection>
          <web-resource-name>SSL</web-resource-name>
          <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint id="AuthConstraint_1" >
          <description> All Authenticated users </description>
          <role-name>All Role</role-name>
     </auth-constraint>
     <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
</security-constraint>
<security-constraint>
     <display-name>restrict http methods</display-name>
     <web-resource-collection>
          <web-resource-name>restricted methods</web-resource-name>
          <url-pattern>/*</url-pattern>
          <http-method>TRACE</http-method>
     </web-resource-collection>
     <auth-constraint id="AuthConstraint_2" >
          <description> All Authenticated users </description>
          <role-name>All Role</role-name>
     </auth-constraint>
</security-constraint>
     <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
               <form-login-page>/common/login.ihtml</form-login-page>
          </form-login-config>
     </login-config>
     <security-role id="SecurityRole_1" >
          <description>All Authenticated Users Role.</description>
          <role-name>All Role</role-name>
     </security-role>
  2. Update application.xml to add the parameters highlighted in bold type. 
    <application id="Inspector" version="5" xsi:schemaLocation="http://java.sun.com/xml/ns/javaeehttp://java.sun.com/xml/ns/javaee/application_5.xsd" >
     <display-name>Inspector</display-name>
     <module id="Module_1334727512382" >
          <web>
               <web-uri>inspec tor.war</web-uri>
               <context-root>inspector</context-root>
          </web>
     </module>
     <security-role id="SecurityRole_1183122147906" >
          <description>All Authenticated users role.</description>
          <role-name>All Role</role-name>
     </security-role>
</application>