Single Sign-on

NOTE: The information in this topic is required by system administration personnel only.

A form of Single Sign-on (SSO) has been implemented within Proficy Portal that allows external methods of user authentication to be used with Proficy Portal. It does not, however, provide a single point of authentication for all Proficy products.

Prior to Portal 2.5, authentication was handled internally via a login dialog and calls to the operating system to validate the username/password.  This did not allow for easy integration of third-party or operating system built-in authentication methods. Now, external authentication methods may be used to validate a user's identity. In all cases, authorization remains a function of Proficy Portal.

In some cases, use of an external authentication method may also increase security if the protocol used does not include transferring the password across the network.

Implementation

In Proficy Portal 2.5 and greater, the default document is now default.asp instead of default.htm, although default.htm still exists. Default.asp checks to see if someone has already been authenticated with any of the built-in authentication methods within IIS or any 3rd-party authentication package that integrates with IIS. These currently include basic, digest, and integrated windows authentication. If authentication is found, the name of the user is read and passed to the client via an applet parameter. When a user name is provided in this manner, the server will accept the user name as valid, but will still perform a check to determine what actions the user is authorized to perform.

<param name="user" value="<%getAuthorizedUser()%>">

function getAuthorizedUser()
{

//

// Fetch the authorized user from the server variables

//

Response.Write(Request.ServerVariables("AUTH_USER"))

 

//

// To pull the username from a cookie instead, remove the previous

// line and uncomment the following, substituting  username  with

// the name of the cookie. Include a trailing colon

//

//Response.Write(getAttribute("username:"))

}

This will work with both IIS built-in authentication as well as a number of 3rd party SSO implementations that are designed to work with IIS. Many 3rd party SSO implementations, however, provide the user name via an HTTP cookie. If that is the case,  modify the default.asp file to read the cookie value instead of reading the user name from IIS. The code is already in place to read a cookie and defaults to “username”. Simply change "username" to the name of the cookie used by the SSO implementation, and change the getAuthorizedUser() function to use the getAttribute() function which is commented out by default.

function getAuthorizedUser()

{

 

//

// Fetch the authorized user from the server variables

//

//Response.Write(Request.ServerVariables("AUTH_USER"))

//

// To pull the username from a cookie instead, remove the previous

// line and uncomment the following, substituting  username  with

// the name of the cookie. Include a trailing colon

//

Response.Write(getAttribute("username:")) ¬ UNCOMMENT

}

Allow ASP Web Extensions

To use Active Server Pages (ASP) with Windows 2003 Server, it is necessary to enable ASP processing within IIS. By default, ASP processing is prohibited.

To enable ASP processing:

  1. Launch the Internet Information Services (IIS) Manager.

  2. Expand the local computer node and select Web Service Extensions

  3. In the right pane, select Active Server Pages and click the Allow button.

NOTE: If company policy prevents the processing of ASP, you may want to modify the Proficy Portal virtual directory and change the default document from default.asp to default.htm. The standard default.htm file does not provide any built-in ability to do external authentication, nor does it prevent it.

Keep-Alives must be Enabled

In IIS Default Web Site Properties, ensure that the Enable HTTP Keep-Alives check box is selected. The default setting for this option is Enabled.

Logoff

By default, when a user logs out of Proficy Portal, default.htm is loaded bringing them back to the original, built-in Login dialog box. If this behavior is not desired, edit the Application Preferences and choose a new HTML file as the “Logoff Page”. This HTML file must reside somewhere in the Proficy Portal virtual directory or an accessible folder within it. See Application Preferences for more information.