Enabling third party authentication and single sign-on (SSO) in Inspector

This procedure describes how to enable third party authentication for MDM Inspector.

About this task

To enable third party authentication for MDM Inspector, you there are a number of configuration changes you must make.

Important: When you apply an InfoSphere® MDM feature pack upgrade, your third party authentication configuration will be reverted. Repeat this procedure to reconfigure third party authentication.

Procedure

  1. Go to <WAS_HOME>/AppServer/profiles/<YOUR_APP_SERVER_PROFILE>/InstalledApps/<CELL_NAME>/inspector-<INSTANCE_ID>.ear/inspector.war/WEB-INF/classes.
  2. Open the inspector.properties file in a text editor.
  3. Create or uncomment the property UserRole, and give it a value of mdm_admin. 
    UserRole=mdm_admin
  4. Save the inspector.properties file.
  5. Go to the inspector\WebContent\WEB-INF\ directory and open the web.xml file in a text editor.
  6. Add the following lines to create an allowlist named whitelist. Replace the <HOSTn> placeholders with the third party authentication URLs: 
    <init-param>
 	    <param-name>whitelist</param-name>
 	    <param-value><HOST1>,<HOST2></param-value>
</init-param>
    For example, for Google TAI HOST:
    <init-param>
 	    <param-name>whitelist</param-name>
 	    <param-value>https://accounts.google.co.in</param-value>
</init-param>
  7. Add the same <init-param> lines to the web.xml files found at the following locations within the WebSphere® Application Server profile home directory:
    • <WAS_PROFILE>/config/cells/<CELL_NAME>/applications/inspector-<INSTANCE_NAME>.ear/deployments/inspector-<INSTANCE_NAME>/inspector.war/WEB-INF/web.xml
    • <WAS_PROFILE>/installedApps/<CELL_NAME>/inspector-<INSTANCE_NAME>.ear/inspector.war/WEB-INF/web.xml
    • <WAS_PROFILE>/wstemp/<RANDOM_NUMBER>/workspace/cells/<CELL_NAME>/applications/inspector-<INSTANCE_NAME>.ear/deployments/inspector-<INSTANCE_NAME>/inspector.war/WEB-INF/web.xml
      Tip: If you cannot locate this third file, delete the <WAS_PROFILE>/wstemp folder instead.
  8. From the <WAS_PROFILE> directory, run the following command: 
    grep -r <HOSTn> *
    Make sure that all web.xml files are properly changed to include the correct allowlist value.

Results

After completing these steps, third party authentication is enabled.

Note: If you are using ISAM instead of Google OpenID, you might see the following error that is caused by a missing JEE security role in the web.xml and application.xml files: 
com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4529E The password verification for the 'mpctest101' principal name failed. Root cause: 'javax.naming.AuthenticationException:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839^@]

To resolve this issue, edit both web.xml and application.xml to add the required security parameters:

  1. Update web.xml to add the parameters highlighted in bold type. 
    <security-constraint>
     <web-resource-collection>
          <web-resource-name>SSL</web-resource-name>
          <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint id="AuthConstraint_1" >
          <description> All Authenticated users </description>
          <role-name>All Role</role-name>
     </auth-constraint>
     <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
</security-constraint>
<security-constraint>
     <display-name>restrict http methods</display-name>
     <web-resource-collection>
          <web-resource-name>restricted methods</web-resource-name>
          <url-pattern>/*</url-pattern>
          <http-method>TRACE</http-method>
     </web-resource-collection>
     <auth-constraint id="AuthConstraint_2" >
          <description> All Authenticated users </description>
          <role-name>All Role</role-name>
     </auth-constraint>
</security-constraint>
     <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
               <form-login-page>/common/login.ihtml</form-login-page>
          </form-login-config>
     </login-config>
     <security-role id="SecurityRole_1" >
          <description>All Authenticated Users Role.</description>
          <role-name>All Role</role-name>
     </security-role>
  2. Update application.xml to add the parameters highlighted in bold type. 
    <application id="Inspector" version="5" xsi:schemaLocation="http://java.sun.com/xml/ns/javaeehttp://java.sun.com/xml/ns/javaee/application_5.xsd" >
     <display-name>Inspector</display-name>
     <module id="Module_1334727512382" >
          <web>
               <web-uri>inspec tor.war</web-uri>
               <context-root>inspector</context-root>
          </web>
     </module>
     <security-role id="SecurityRole_1183122147906" >
          <description>All Authenticated users role.</description>
          <role-name>All Role</role-name>
     </security-role>
</application>