5.3.3.10. iAP-iWP SSO Linkage (IM-HybridSSO)¶
How to set the function (IM-HybridSSO) to do SingleSignOn linkage (hereafter called as SSO) between iWP / iAF v7.2 (hereafter called as iWP) and intra-mart Accel Platform(hereafter called as iAP ) is described.Warning
IM-HybridSSO is available for use from 2014 Summer(Honoka).Warning
Module for iWPof IM-HybridSSO is planned to be provided by patch8.In order to use IM-HybridSSO in patch7 of iWP, individual patch module should be installed separately.You can download the individual patch module from the URL below.Unzip the corresponding file, refer to the expanded readme.txt, and do installation and setting.Warning
Please refer to [ Release Note ]-[ Limitations ]-[ HybridSSO/External Menu Linkage ] for the limitations when using IM-HybridSSO.
5.3.3.10.1. Overview¶
5.3.3.10.1.1. What is IM-HybridSSO?¶
IM-HybridSSO is a function to do SSO linkage between iAP and iWP.It is realized by managing authentication information of iWP and logging into iWP automatically when accessing from menu obtained using external menu linkage.By this, the service of iAP and iWP can be used seamlessly.Please refer to [ What is External Menu Linkage? ] for external menu linkage.In order to use IM-HybridSSO, you need to set the external menu linkage.In [ IM-HybridSSO Setting ], setting of IM-HybridSSO and external menu linkage are performed in parallel, so please do the setting according to the procedure.
5.3.3.10.1.2. IM-HybridSSO Structure¶
In IM-HybridSSO, connection origin and connection destination are defined as follows.
SSO Authentication Provider SSO Service Provider 
Figure IM-HybridSSO Structure
Setting is done by defining SSO service provider of the linkage destination for each tenant.
5.3.3.10.1.3. IM-HybridSSO Function¶
IM-HybridSSO is realized by the following functions.
Authentication Information Management
By logging into iAP, it does log-in confirmation for iWP, and saves the authentication information to the Cookie of browser if it can be logged-in.SSO Auto Log-in
By accessing from external menu obtained by the external menu linkage, you can log-in iWP automatically by using the authentication information of Cookie and the corresponding page is displayed.Log-out Linkage
By logging out from iAP, you log-out from all linkaged iWP and the authentication information would be deleted from Cookie.In IM-HybridSSO, you log into iWP by using user code of user who logged into iAP.SSO linkage cannot be performed if there is no user who has the same user code in iWP.In order to synchronize the account information of iAP and iWP,you can use BackwardSync of synchronization function of master information.Please refer to [ BackwardSync(Master Synchronization with version 7.2) Specifications ] and [ BackwardSync (Master Synchronization with version 7.2) Operations Guide ]for BackwardSync.
5.3.3.10.2. IM-HybridSSO Setting¶
5.3.3.10.2.1. iWP Setting¶
5.3.3.10.2.1.1. SSO Auto Log-in Setting¶
In order to enable SSO Auto Log-in by IM-HybridSSO, do the following settings.Warning
Please add the settings to the location for correction contents properly.If the setting location is not correct, it does not work properly.
Add filter to the menu servlet.
Configuration File
<%Install Path of ApplicationRuntime% /doc/imart/WEB-INF/web.xml>
Correction Contents
: <filter> <filter-name>HTTPContextHandlingFilter</filter-name> <filter-class>jp.co.intra_mart.common.aid.jsdk.javax.servlet.filter.HTTPContextHandlingFilter</filter-class> </filter> <!-- ↓↓↓ 以下を追加 --> <filter> <filter-name>AutoLoginFilter</filter-name> <filter-class>jp.co.intra_mart.foundation.security.filter.AutoLoginFilter</filter-class> </filter> <!-- ↑↑↑ ここまで --> : <filter-mapping> <filter-name>HTTPContextHandlingFilter</filter-name> <servlet-name>MenuServlet</servlet-name> </filter-mapping> <!-- ↓↓↓ 以下を追加 --> <filter-mapping> <filter-name>AutoLoginFilter</filter-name> <servlet-name>MenuServlet</servlet-name> </filter-mapping> <!-- ↑↑↑ ここまで -->Add request analysis module for SSO Auto Log-in.
Configuration File
<%Install Path of ServerManager% /conf/access-security.xml>
Correction Contents
<user-security> : <initial-request-analyzer> <request-analyzer-class>jp.co.intra_mart.foundation.security.certification.ShortCutInitialRequestAnalyzer</request-analyzer-class> </initial-request-analyzer> <!-- ↓↓↓ 以下を追加 --> <initial-request-analyzer> <request-analyzer-class>jp.co.intra_mart.system.hybrid_sso_provider.HybridSSORequestAnalyzer</request-analyzer-class> </initial-request-analyzer> <!-- ↑↑↑ ここまで -->
5.3.3.10.2.1.2. SSO Error Page Setting¶
Switch the following error pages for IM-HybridSSO.
- Session Timeout Error Page
- Active Settion Invalid Error Page
- Log-in Block Error Page
Each following file should be corrected to switch.
Session Timeout Error Page
Configuration File
<%Install Path of ServerManager% /conf/access-security.xml>
Correction Contents
: <security-config> <error-page-provider> <page-provider-class>jp.co.intra_mart.foundation.security.certification.StandardErrorPageProvider</page-provider-class> : <init-param> <!-- このパスを修正してください --> <param-name>session-timeout-page</param-name> <param-value>system/security/error/im_hybrid_sso/session_timeout_page.jssp</param-value> </init-param> : <init-param> <!-- スマートフォンを利用している場合は以下も修正してください --> <param-name>session-timeout-page.sp</param-name> <param-value>system/security/error/im_hybrid_sso/session_timeout_page_smartphone.jssp</param-value> </init-param>Active Session Invalid Error Page
Configuration File
<%Install Path of ServerManager% /conf/active-session-config.xml>
Correction Contents
: <access-security-page-provider provider-class="jp.co.intra_mart.system.security.AccessSecurityPageProviderImpl"> <access-security-page page-id="active-session-invalidated"> <location request-header="maskat_layoutid">system/security/error/active_session_invalidated_page_maskat.jssp</location> <location client-type="mobile">system/security/error/active_session_invalidated_page_mobile.jssp</location> <!-- このパスを修正してください --> <location>system/security/error/im_hybrid_sso/active_session_invalidated_page.jssp</location> <!-- スマートフォンを利用している場合は以下も修正してください --> <location client-type="sp">system/security/error/im_hybrid_sso/active_session_invalidated_page_smartphone.jssp</location> </access-security-page> </access-security-page-provider>Log-in Block Error Page
Configuration File
<%Install Path of ApplicationRuntime% /doc/imart/WEB-INF/web.xml>
Correction Contents
: <filter> <filter-name>LoginBlockFilter</filter-name> <filter-class>jp.co.intra_mart.foundation.security.filter.LoginBlockFilter</filter-class> <init-param> <param-name>pagePath</param-name> <!-- このパスを修正してください --> <param-value>/system/security/error/im_hybrid_sso/login_block_page.jssp</param-value> </init-param> <init-param> <param-name>mobilePagePath</param-name> <param-value>/system/security/error/login_block_page_mobile.jssp</param-value> </init-param> <init-param> <param-name>pagePath.sp</param-name> <!-- スマートフォンを利用している場合は以下も修正してください --> <param-value>/system/security/error/im_hybrid_sso/login_block_page_smartphone.jssp</param-value> </init-param> </filter>
5.3.3.10.2.1.3. SSO Service Provider Setting¶
It does log-in group setting which does SSO linkage with SSO service provider ID and its connection destination.
Configuration File
<%Install Path of ServerManager% /conf/hybrid-sso-provider-config.xml>
Setting Example
<hybrid-sso-provider-config xmlns="http://www.intra-mart.jp/hybrid_sso_provider/hybrid-sso-provider-config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.intra-mart.jp/hybrid_sso_provider/hybrid-sso-provider-config" provider-id="sample"> <mappings> <mapping login-group="default" encrypt-key="default-enc-key" /> <mapping login-group="other" encrypt-key="other-enc-key" /> </mappings> </hybrid-sso-provider-config>Following settings should be done for the SSO service provider configuration file.
Provider ID Setting
It sets provider ID to provider-id attribute of <hybrid-sso-provider-config>.Provider ID should be set to be the unique ID foriWP on the domain that constructs same SSO.
Log-in Group Setting
Describe <mapping>``tab for the number of log-in groups to be used for SSO linkage in``<mappings>.Sets log-in group ID for login-group attribute.For encrypt-key attribute, set the key to encrypt the authentication information to be set in browser’s Cookie.Warning
Encrypt method of authentication information uses Blowfish.Thus, character string length should be long enough to be set as Blowfish key for the encryption key.Length of character string may be limited depending on the key.For the encryption provider implementation of Oracle JDK for Windows, character string length of the key is limited to 123bit (single-byte 16 characters) by the default.(if used in Japan)For the encrypt-key attribute, please set character string length which is long enough to be set in the environment that you use.Please refer to the followings for the encryption provider of Oracle JDK.
5.3.3.10.2.1.4. Base URL Setting¶
If the request URL from browser and the request URL accepted by iWP are different by using Web server,you need to set base URL.In order to set the base URL, following settings are required.Please add them if nothing is set.
Configuration File
<%Install Path of ServerManager% /conf/parameter.xml>
Correction Contents
: <param> <param-name>im.web_server.url</param-name> <param-value><http または https>://<アクセス可能なホスト名>:<PORT></param-value> </param>In case of the structure below, http://www.intra-mart.jp should be set to <param-value>.
Web Server Request URL http://www.intra-mart.jp/imart/~ Request URL accepted by iWP. http://iap.intra-mart.jp:8080/imart/~ In the module for external menu linkage, menu information URL is generated using this setting.If you do not have this setting, menu information URL is generated based on the request URL accepted by iWP,so you would not be able to access via server.
5.3.3.10.2.1.5. Web Service Execution User Setting¶
It defines the particular user who executes Web service.
Web Service
Operation
Description
AdmissionService
publishKey
Log-in confirmation of IM-HybridSSO and authentication information creation.
MenuService
getAvailableMenuTree
MenuService
getManagedMenuTree
- Role Creation...[1.5.2 Role Setting]
- User Creation and Role Giving...[1.5.3 User Registration and Deletion(account information and profile information)]
- Web Service Execution User Authority...[1.14 Web Service Access Setting]
If you want to know more about Web service of iWP, please refer to [ Web Service Programming Guide ] of iWP.
5.3.3.10.2.1.6. Providing SSO Service Provider Information¶
Following information are provided to the system administrator of iAP that does SSO linkage.System administrator of iAP sets iAP by referring to this information.Please refer to [iAP Setting ] for the setting of iAP.
Provider ID Provider ID that is set to the configuration file [hybrid-sso-provider-config.xml] of iWP.
5.3.3.10.2.2. iAP Setting¶
5.3.3.10.2.2.1. IM-HybridSSO Module Selection¶
In IM-Juggling, select [Additional Function]-[Authentication Extension Function]-[iAP-iWP SSO Linkage Module (IM-HybridSSO)].In order to use [iAP-iWP SSO Linkage Module (IM-HybridSSO)], [External Menu Linkage] module is required.[External Menu Linkage] is automatically selected by doing [Select including dependency] against [iAP-iWP SSO Linkage Module (IM-HybridSSO)].
5.3.3.10.2.2.2. SSO Service Provider Setting¶
Describe SSO service provider to be used in the configuration file.Output [iAP-iWP SSO Linkage Module (IM-HybridSSO)]-[Mapping Setting for SSO Linkage (hybrid-sso-mapping-config)] from [Configuration File] tab.Describe SSO service provider setting in [Mapping Setting SSO Linkage (hybrid-sso-mapping-config)].Describe SSO service provider information to <mapping> tag for the number of SSO service providers that are linking.For provider ID, describe the value that you have set to iWP in [ SSO Service Provider Setting ].All the servers that construct IM-HybridSSO should be built on the same domain.In case of the following structures, the value to be set to site domain of the configuration file will be [intra-mart.jp].
- SSO Authentication Provider : iap.intra-mart.jp
- SSO Service Provider 1 : iwp1.intra-mart.jp
- SSO Service Provider 2 : iwp2.intra-mart.jp
Please refer to [ Configuration File Reference ]-[ Mapping Setting for SSO Linkage ] for the detail setting contents of configuration file.
5.3.3.10.2.3. Setting when operating in the Same Host¶
In case you operate iAP and iWP in the same host, some Cookie names are duplicated,so you need to change Cookie name to use SSO.Following setting should be changed.
Change the session Cookie name
Cookie name of the session can be changed by the application server.Setting method for Resin is described as below.
Configuration File
<%RESIN_HOME%/conf/resin.xml>
Correction Contents
<!-- - Resin 4.0 configuration file. --> <resin xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin"> : <cluster id="app"> : <session-cookie>IAP_SESSIONID</session-cookie> :Please refer to the application server’s document for the setting method other than Resin.Change Cookie name for the session information check
Change the Cookie name to check the validity of session information.In order to change the Cookie name for session information check,please refer to [ Configuration File Reference ]-[ Session Information Check Setting ]-[ Session Information Cookie Setting Name ].For the Cookie name, [jp.co.intra_mart.session.cookie] is set by default. Please change this value to the arbitrary value.
Setting Example
: <!-- セッション情報管理で使用する設定 --> <category name="im_session"> <!-- セッション管理情報を保存するクッキー名 --> <param> <param-name>cookie_name</param-name> <param-value>jp.co.intra_mart.session.cookie.iap</param-value> </param>