SSO properties in IBM® TRIRIGA®

Several properties control an IBM TRIRIGA SSO configuration.

The SSO properties are in the TRIRIGAWEB.properties file. By default, the TRIRIGAWEB.properties file is in the Tririga/config folder of the application server. The application server must be restarted before the property value changes take effect.
Property Options Default Description
SSO N, Y N

If set to Y, the environment runs in single sign-on (SSO) mode.

SSO_BACKING_SERVER_PORT number -1

The port number that is used by the back-end server. If the SSO server port does not match the back-end server port, this property must be set.

If -1 or any other negative value is set for this property, then the port number that is set for the front-end server is also set for the back-end server port.

SSO_DISABLE_UNAUTHORIZED_STATUS N, Y N

The unauthorized.jsp page sends an HTTP Error 401 response in the HTTP Header.

If set to Y, the header response is disabled.

If you want the HTTP Error 401 response sent, set this property to N.

SSO_REMOTE_USER N, Y Y

If set to Y, the request.getRemoteUser() method is used to log in. The user name must exactly match the user name that is created in IBM TRIRIGA.

When the value of SSO_USER_PRINCIPAL is Y, set SSO_REMOTE_USER to N.

SSO_REMOVE_DOMAIN_NAME N, Y Y

If set to Y, the prefixed or appended domain name is removed from the directory server user name that is passed by using the SSO_REMOTE_USER property.

  • If user names contain a domain name when passed from the directory server and user names in IBM TRIRIGA contain only the user name, set this property to Y.
  • If user names contain a domain name when passed from the directory server and user names in IBM TRIRIGA include the domain name, set this property to N.
SSO_REQUEST_ATTRIBUTE_NAME [headername], sm_user, [username], [$WSRU] headername

The name of the property that is inserted into the HTTP header whose value is the IBM TRIRIGA user name.

The value can be blank.

Example 1:
For use with SiteMinder, set

SSO_REQUEST_ATTRIBUTE_NAME=sm_user

Example 2:
For use with WebSphere Application Server standalone or WebSphere Application Server Liberty, set

SSO_REQUEST_ATTRIBUTE_NAME=$WSRU to pull the header from the plugin. On the IHS or Apache server, be sure to use HEADER UNSET $WSRU to be sure the header is only set at the web server or application server layer.

Tip: This property will take priority over SSO_REMOTE_USER and SSO_USER_PRINCIPAL. Make sure the value of SSO_REQUEST_ATTRIBUTE_NAME is blank if you use SSO_REMOTE_USER=Y or SSO_USER_PRINCIPAL=Y.

This property is case sensitive. Use the requestTest.jsp page to check the correct parameter name. When not in use, it must be set to a non-blank value.

If the user name is stored in a distinct HTTP attribute variable, set SSO_REMOTE_USER to N, and set this property to the HTTP attribute name.

In some systems, you can define the variable name in which the user name is located. In this case, set this property to the variable name in your system.

SSO_USER_PRINCIPAL N, Y N

If the system is configured to append the User Principal Name (UPN) to the HTTP header, set this property to Y.

If set to Y, the HTTP header parameter UserPrincipal is used, and the user name is retrieved by calling the request.getUserPrincipal().getName() method.

When the value is Y, set the value of the SSO_REMOTE_USER property to N.

USERNAME_CASE_SENSITIVE N, Y Y

If set to Y, sign-in user names are case-sensitive. If you want to authenticate without case sensitivity, set this property to N.

Some Java Applets prompt for the Windows user name and password, which is a known security issue with the Java plug-in and SSO. Affected applets might include: Brava! Document Viewer, Gantt, Association Viewer, and Workflow Expression Editor. Enter the SSO user name and password again to gain access to these applets.