cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Limiting SSO based on Applications / Roles or Navigation

Go to solution
Former Member

on ‎11-16-2007 1:14 PM

0 Kudos

I had a question regarding SSO authentication in the Portal. Is it possible to have the Portal use SSO, but to force an authentication later when the user tries to open up a certain link or application.

For example, all users will have SSO, but when they select "ESS/MSS" in the top-level navigation bar in the portal they get a login window before they can proceed.

Is this possible and what would be the best way of implementing it?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member197348
Active Contributor
‎11-21-2007 12:08 PM
0 Kudos

Hi Hermann,

As for as I know, It is not possible to prompt for log in once you have logged in to the portal. Because the logged in user can only see the roles for which he has been assigned. Create the roles for application or links and assign them only those users who are needed.

regards,

Siva

Show replies
Show replies
Former Member
‎11-21-2007 1:50 PM
0 Kudos

Hello Siva,

Thank you for the answer.

Unfortunately the application in question is used by all users. Every user should be able to use this application, however, the department that owns the application in the portal requires that SSO is turned OFF.

Since we use the portal for other applications as well, and other departments would like to use SSO to authenticate we are trying to find a solution in which we can provide SSO for all other apps and a required logon when the user wants to get into the HR portal.

So anyone else know if this is possible? Ideas, suggestions? Thank you.

Answers (1)

Answers (1)

Former Member
‎03-13-2008 11:13 PM
0 Kudos

Hi,

For sure it possible to achieve.

Any iView can be assigned to the Authentication scheme...initially all iView assigned to default authentication scheme....

- default authentication scheme usually refers to uidpwdlogon (look to authschemes.xml in your J2EE)

- uidpwdlogon uses authentication-template called "ticket" (look to authschemes.xml in your J2EE)

- i think if you use SpNego..."ticket" authentication-template refers to "spnego" (se Security Provider in Visual Admin).

What you need to do is to

- create custom authentication template in VA

- add the custom authentication scheme to "authschemes.xml" and refer to the custom authentication template which was created in VA

- assign the priority to the newly created authentication scheme higher then for "uidpwdlogon" (by default it is 20)

Assign you the iView's authentication scheme to custom authentication scheme....

Show replies
Show replies
Former Member
‎03-18-2008 8:15 AM
0 Kudos

I just now saw your answer to this post.

The way you mentioned is actually the way we tried to implement, and you are correct in the way you would go about it.

Now when we browse to an iView with a stronger authentication scheme (higher priority set in authschemes.xml) we get a logon mask just like expected. However, when trying to re-authenticate the user here we get the following error:

"Authentication Failed. User is already authenticated" This may not be the exact error, but you get the idea. In the logs you'll find an exception along the lines of, "Call log out before log in".

The problem is that our SPnego stack authenticates against the same ldap as our stronger authentication with basic password and login...

How do you authenticate a user that's actually already logged in? The user already has a security context and a valid JSessionID in the portal....

I awarded you points for your answer since I think you are absolutlely correct in the way it "should" work. but we still run into the problem of using the same data source for our authentication schemes.

Former Member
‎10-10-2008 1:36 PM
0 Kudos

We never actually got this working, but suggested a workaround in which a user can enable and disable SPnego for themselves. The process contains a small disclaimer notifying the end-user of the risks attached with IWA / SPNego and that was enough to allow this feature to work for all applications.

Cheers,

Hermann

Ask a Question