8.3.2. IM-HybridSSO / External Menu Linkage¶

8.3.2.1. Single Sign On authentication is recommended in order to use the external menu linkage function.¶

In order to access the external site that requires authentication from the menu by utilizing the external menu linkage function, you need to log-in in advance.

In order to manage the authentication of each site, Single Sign On authentication is necessary by separately introducing the single sign on products.

Function to achieve single sign on linkage ( IM-HybridSSO) between intra-mart Accel Platform and iWP / iAF v7.2

is made available from 2014 Summer(Honoka).

Please refer to [iAP-iWP SSO Linkage(IM-HybridSSO)] chapter of [Setup Guide] for detail.

Following limitations would result unless single sign on authentication is provided :

Automatic log-in cannot be made even if you access the menu obtained from the menu provider.

Error page will be displayed if there is authority setting in place on the corresponding page.

You can move from the error page to the log-in page and log in. However, normal log-in may not be possible depending on the browser setting or the environment.

In case menu provider is intra-mart Accel Platform,

global navigation on the menu client side stops being displayed once the log-in screen is displayed on the menu provider side.

Since the log-in to menu client and the log-in to menu provider are made separately, it is not guaranteed that they are for the same user.

Menu information which is obtained from the external menu linkage is the information associated with the user who logs in to the menu client.

It is not possible to judge on the screen if other user has logged in to the menu provider. Therefore, incorrect operations may result.

Even if you log out on the menu client, automatic log out will not take place on the menu provider side.

Menu provider can be directly accessed while in the log-in state.

For the external menu linkage, please refer to [External Menu Linkage(IM-HybridSSO)] chapter of [Setup Guide].

8.3.2.3. Latest menu may not be displayed in external menu linkage function.¶

1. If you edit the menu at the linkage destination server during operations, latest menu is not displayed.

2. In case linkage destination server cannot be accessed temporarily because of the network error or other reasons when menu information is being obtained,

external menu information is not obtained and the menu is displayed.

Menu information will not be obtained even if the access to the linkage destination server subsequently becomes available.

For some menus information is cached to accelerate the display.

Therefore, if the symptom 1 or 2 occurs, external menu information may be displayed for some user and not displayed for another user.

For the symptom above, following circumvention is available.

Please clear the cache of the menu by [Cache Clear] on Menu Setting Screen.

Please refer to [Menu Setting] section of [Tenant Administrator Operations Guide].

If you do not have execution authority for the transition destination screen,

you cannot access the displayed menu by 403 error when the menu is clicked.

Therefore, there would be no security exposure.

8.3.2.4. Automatic log-in function does not support the log-out linkage of iAP-iWP SSO Linkage Module (IM-HybridSSO).¶

Automatic log-in function does not support the log-out linkage of iAP-iWP SSO Linkage Module (IM-HybridSSO).

Log-out linkage function of IM-HybridSSO is perfromed when the log-in screen is displayed.

Therefore, automatic log-in function which performs authentication without using the log-in screen does not support the log-out linkage of IM-HybridSSO.

For information about automatic log-in function, please refer to [In case Automatic Log-in Function is used] of [Setup Guide].

8.3.2.5. Log-in by IM-HybridSSO cannot be made if accessed by Short-cut URL.¶

In order to access the external menu obtained by the external menu linkage, authentication information by IM-HybridSSO is required.

Authentication information by IM-HybridSSO is set when the log-in is made via the log-in screen of intra-mart Accel Platform.

When the access is made by a shortcut URL, there are cases where you can transition to the target screen without going through the log-in screen.

(For example, one user has display permission, and access is made by the shortcut URL for which login authentication is set as unnecessary.)

In this case, since the log-in by IM-HybridSSO is not made, even though the external menu obtained by the external menu linkage is displayed on the screen,

the menu cannot be accessed even if you click on it.

This symptom can be avoided by logging in to intra-mart Accel Platform again.

If you have already logged in to intra-mart Accel Platform, access to the external menu can be made because of the remaining authentication information by IM-HybridSSO.

8.3.2.6. If Web Server or Load Balancer is used, context path of Request URL and context path of iWP / iAF should be set the same.¶

If Web Server or Load Balancer is used, context path of Request URL and context path of iWP / iAF should be set the same.

URL of the menu information created by external menu linkage will be generated based on 2 information below :

・URL specified by [im.web_server.url] of parameter.xml of iWP / iAF

・Context path of iWP / iAF

Therefore, if the context path part has been modified by Web server or load balancer,

access may not be successfully established by the external menu.

For example, if you are using Apache module [mod_proxy] and if the context path of iWP / iAF is [/imart],

you need to set the name of local virtual path as [/imart] as shown below.
ProxyPass /imart http://backend.example.com/imart

8.3.2.7. SSO Connection is released if you change the password of iWP / iAF while IM-HybridSSO connection is in place.¶

Since the IM-HybridSSO connection information includes irreversible information that is based on the user password on iWP / iAF, if the password of iWP / iAF log-in user is changed after the log-in to intra-mart Accel Platform and before the first access to iWP / iAF screen, SSO connection will not be successfully established because of invalid IM-HybridSSO connection information.

8.3.2.8. Configuration in which multiple SSO authentication providers have linkage with the same SSO service provider is not supported.¶

If the setting to allow multiple SSO authentication providers ( intra-mart Accel Platform ) to access the same SSO service provider ( iWP / iAF ) is made, session information of iWP / iAF may be overwritten, and hence normal operations cannot be guaranteed.

8.3.2.9. Access may not be successfully established if the session failover occurs while using the external menu linkage function.¶

[Request information is invalid. Specified page cannot be displayed.]

This happens because signature is added to the menu information by the external menu linkage function, and signature checking is performed.

Signature information is retained by each server.

In case of this error, please access any page other than the external menu, and refresh the menu information.

8.3.2.10. Configuration in which SSO authentication provider has SSO linkage with multiple log-in groups in the same iWP / iAF is not supported.¶

If the setting to allow SSO authentication provider (1 tenant in intra-mart Accel Platform) to have SSO linkage with multiple log-in groups in the same iWP / iAF is made, session information of iWP / iAF may be overwritten by accessing the menu of each log-in group, and hence normal operations cannot be guaranteed.

8.3.2.11. Servers that make up IM-HybridSSO must be built on the same domain.¶

Therefore, intra-mart Accel Platform and iWP / iAF must be built either with different context pathes on the same host to allow browsers to read/write Cookies or on the host that can be differentiated by subdomains.

Example) in case the host can be identified by subdomains :

・Domain: intra-mart.jp

・SSO Authentication Provider: iap.intra-mart.jp

・SSO Service Provider 1: iwp1.intra-mart.jp

・SSO Service Provider 2: iwp2.intra-mart.jp

8.3.2.12. iWP / iAF may not be used as [SSO Authentication Provider], and intra-mart Accel Platform may not be used as [SSO Service Provider].¶

IM-HybridSSO does not support the following configurations :

・ Log in to iWP / iAF and do SSO linkage with other SSO service provider.

(iWP / iAF is used as [SSO Authentication Provider].)

・Do SSO linkage between intra-mart Accel Platform‘s.

(intra-mart Accel Platform is used as [SSO Service Provider].)

8.3.2.13. IM-HybridSSO provides simple Single Sign On functions on intra-mart Accel Platform and iWP / iAF.¶

In case you have a need for integrated management of authenticated IDs or a need to use SSO service provider other than iWP / iAF, please use respective Single Sign On products that support these required functions.

8.3.2.14. In the environment where iAP-iWP SSO Linkage Module (IM-HybridSSO) is installed, you cannot change the transition destination screen after the log-out.¶

On intra-mart AccelPlatform you can change the transition destination screen after the log-out by specifying the request parameter [im_url] at log-out time. However, this function is not available in the environment in which iAP-iWP SSO Linkage Module (IM-HybridSSO) is installed.

Even if you specify transition destination URL when you log out, transition will be made to the log-in screen.

Please see the document below for information about request parameter [im_url].

Please refer to [Request Parameter Name] of [Configuration File Reference].

Table Of Contents

8.3.2. IM-HybridSSO / External Menu Linkage¶

8.3.2.1. Single Sign On authentication is recommended in order to use the external menu linkage function.¶

8.3.2.2. User code at the destination of external menu linkage must be the same at the origin of external menu linkage.¶

8.3.2.3. Latest menu may not be displayed in external menu linkage function.¶

8.3.2.4. Automatic log-in function does not support the log-out linkage of iAP-iWP SSO Linkage Module (IM-HybridSSO).¶

8.3.2.5. Log-in by IM-HybridSSO cannot be made if accessed by Short-cut URL.¶

8.3.2.6. If Web Server or Load Balancer is used, context path of Request URL and context path of iWP / iAF should be set the same.¶

8.3.2.7. SSO Connection is released if you change the password of iWP / iAF while IM-HybridSSO connection is in place.¶

8.3.2.8. Configuration in which multiple SSO authentication providers have linkage with the same SSO service provider is not supported.¶

8.3.2.9. Access may not be successfully established if the session failover occurs while using the external menu linkage function.¶

8.3.2.10. Configuration in which SSO authentication provider has SSO linkage with multiple log-in groups in the same iWP / iAF is not supported.¶

8.3.2.11. Servers that make up IM-HybridSSO must be built on the same domain.¶

8.3.2.12. iWP / iAF may not be used as [SSO Authentication Provider], and intra-mart Accel Platform may not be used as [SSO Service Provider].¶

8.3.2.13. IM-HybridSSO provides simple Single Sign On functions on intra-mart Accel Platform and iWP / iAF.¶

8.3.2.14. In the environment where iAP-iWP SSO Linkage Module (IM-HybridSSO) is installed, you cannot change the transition destination screen after the log-out.¶

Table Of Contents