Enabling third party authentication and single sign-on (SSO) in Inspector

This procedure describes how to enable third party authentication for MDM Inspector.

About this task

To enable third party authentication for MDM Inspector, you there are a number of configuration changes you must make.

Important: When you apply an InfoSphere® MDM feature pack upgrade, your third party authentication configuration will be reverted. Repeat this procedure to reconfigure third party authentication.

Procedure

  1. Go to <WAS_HOME>/AppServer/profiles/<YOUR_APP_SERVER_PROFILE>/InstalledApps/<CELL_NAME>/inspector-<INSTANCE_ID>.ear/inspector.war/WEB-INF/classes.
  2. Open the inspector.properties file in a text editor.
  3. Create or uncomment the property UserRole, and give it a value of mdm_admin.
    UserRole=mdm_admin
  4. Save the inspector.properties file.
  5. Go to the inspector\WebContent\WEB-INF\ directory and open the web.xml file in a text editor.
  6. Add the following lines to create an allowlist named whitelist. Replace the <HOSTn> placeholders with the third party authentication URLs:
    <init-param>
     	    <param-name>whitelist</param-name>
     	    <param-value><HOST1>,<HOST2></param-value>
    </init-param>
    
    For example, for Google TAI HOST:
    <init-param>
     	    <param-name>whitelist</param-name>
     	    <param-value>https://accounts.google.co.in</param-value>
    </init-param>
    
  7. Add the same <init-param> lines to the web.xml files found at the following locations within the WebSphere® Application Server profile home directory:
    • <WAS_PROFILE>/config/cells/<CELL_NAME>/applications/inspector-<INSTANCE_NAME>.ear/deployments/inspector-<INSTANCE_NAME>/inspector.war/WEB-INF/web.xml
    • <WAS_PROFILE>/installedApps/<CELL_NAME>/inspector-<INSTANCE_NAME>.ear/inspector.war/WEB-INF/web.xml
    • <WAS_PROFILE>/wstemp/<RANDOM_NUMBER>/workspace/cells/<CELL_NAME>/applications/inspector-<INSTANCE_NAME>.ear/deployments/inspector-<INSTANCE_NAME>/inspector.war/WEB-INF/web.xml
      Tip: If you cannot locate this third file, delete the <WAS_PROFILE>/wstemp folder instead.
  8. From the <WAS_PROFILE> directory, run the following command:
    grep -r <HOSTn> *
    Make sure that all web.xml files are properly changed to include the correct allowlist value.

Results

After completing these steps, third party authentication is enabled.

Note: If you are using ISAM instead of Google OpenID, you might see the following error that is caused by a missing JEE security role in the web.xml and application.xml files:
com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4529E The password verification for the 'mpctest101' principal name failed. Root cause: 'javax.naming.AuthenticationException:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839^@]

To resolve this issue, edit both web.xml and application.xml to add the required security parameters:

  1. Update web.xml to add the parameters highlighted in bold type.
    <security-constraint>
         <web-resource-collection>
              <web-resource-name>SSL</web-resource-name>
              <url-pattern>/*</url-pattern>
         </web-resource-collection>
         <auth-constraint id="AuthConstraint_1" >
              <description> All Authenticated users </description>
              <role-name>All Role</role-name>
         </auth-constraint>
         <user-data-constraint>
              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
    </security-constraint>
    <security-constraint>
         <display-name>restrict http methods</display-name>
         <web-resource-collection>
              <web-resource-name>restricted methods</web-resource-name>
              <url-pattern>/*</url-pattern>
              <http-method>TRACE</http-method>
         </web-resource-collection>
         <auth-constraint id="AuthConstraint_2" >
              <description> All Authenticated users </description>
              <role-name>All Role</role-name>
         </auth-constraint>
    </security-constraint>
         <login-config>
              <auth-method>FORM</auth-method>
              <form-login-config>
                   <form-login-page>/common/login.ihtml</form-login-page>
              </form-login-config>
         </login-config>
         <security-role id="SecurityRole_1" >
              <description>All Authenticated Users Role.</description>
              <role-name>All Role</role-name>
         </security-role>
  2. Update application.xml to add the parameters highlighted in bold type.
    <application id="Inspector" version="5" xsi:schemaLocation="http://java.sun.com/xml/ns/javaeehttp://java.sun.com/xml/ns/javaee/application_5.xsd" >
         <display-name>Inspector</display-name>
         <module id="Module_1334727512382" >
              <web>
                   <web-uri>inspec tor.war</web-uri>
                   <context-root>inspector</context-root>
              </web>
         </module>
         <security-role id="SecurityRole_1183122147906" >
              <description>All Authenticated users role.</description>
              <role-name>All Role</role-name>
         </security-role>
    </application>