17 Replies Latest reply on Feb 21, 2009 1:17 PM by Gary Gilchrist

    Workspace AutoLogin

    aoatak Level 1
      Hi,
      How can auto login to Workspace ES can be achieved?
      Thanks.
        • 1. Re: Workspace AutoLogin
          Jasmin Charbonneau Level 4
          You can integrate LiveCycle with HTTP Header based authentication. Once it's configured properly (form the Administrative console), you'll be able to login to Workspace without entering user name ans password (if the http header contains the unique identifier for the user name).

          Jasmin
          • 2. Re: Workspace AutoLogin
            aoatak Level 1
            As I understand I should set HTTP Header based authentication and identify the user credential in a configuration file.
            Can you tell, how can I configure HTTP Header based authentication from Administrative Console? And also where is the user credential should be defined?
            Thanks.
            • 3. Re: Workspace AutoLogin
              Jasmin Charbonneau Level 4
              Go under Settings > User Management > Configuration > Portal Configuration

              Then select Enable portal Single Sign-On (SSO): Yes

              SSO type: HTTP Header

              *Http header for unique identifier: This is going to be the name of the HTTP header that will contain the unique identifier for the user.

              The unique identifier needs to match the "Unique Identifier" LDAP attribute when you setup your LDAP under Domain Management. That's how it's going to be able to recognize the user.

              For example, let's say I have a HTTP header called UID which has a value of jcharbon.

              HTTP header for domain: This is the name of another HTTP header that will contain a hard coded value that will use to map to a specific domain. The value can be anything.

              For example , let's say I have a HTTP header called DomainID which has the value of default.

              Domain mapping: This is going to map the hard coded value received from the HTTP header for domain to a valid LDAP domain ID. Go under Settings > User Management > Domain Management to get the ID from your LDAP domain

              For example you can have the following: default=MyLDAPDomain

              Which tell all HTTP headers that have the value "default", to go and get the users from the LDAP domain with id MyLDAPDomain.

              You don't have to store anything locally. You just need to pass the name of the user ID as part of the http header to get in.

              Jasmin
              • 4. Re: Workspace AutoLogin
                (samita) Level 1
                I am trying to test setting up a SSO. I have defined a ldap domain and set up the sso settings under portal configuration. I am trying to test the sso using http header modifier that simply adds the required headers. But it does not seem to be working. Does livecycle write any logs that I can use to find out why it is not working ?
                • 5. Re: Workspace AutoLogin
                  HowardTreisman Level 1
                  We have a single-signon solution for Workspace.
                  You can read more about it here:
                  http://www.avoka.com/avoka/single_signon.shtml
                  Howard
                  • 6. Re: Workspace AutoLogin
                    kc@dafolo.dk Level 1
                    Hi there

                    I can't seem to setup the configuration correctly, can you please help me a little?

                    - How do I know which HTTP header for the unique ID I have?
                    - How do I know which HTTP header for the domain I have?
                    - How do I know how to setup the domain mpping?

                    I am using LC 8.0 with SP2 on WIndows 2003 Server. (Turnkey with JBOSS/MySQL)

                    Sincerely
                    Kim
                    • 7. Re: Workspace AutoLogin
                      chetanm_oct Level 2
                      It depends on your environment. Typically Header based SSO would work with third party security solutions like SiteMinder

                      They have there own UI where you can configure what attribute of a user are to be mapped to which header. The attributes are obtained from the directory server.

                      -How do I know which HTTP header for the unique ID I have
                      In your domain configuration page in AdminUI you would have specified the attribute name to be used for user's uniqueId. Say if you use SunOne directory server it would be nsuniqueId. So in SiteMinder console you would configure it to map the user's nsuniqueid to any HTTP header say uniqueid.
                      Then set this header name in adminui as detailed by Jasmin above

                      - This is required if you also have the domain information. This is an optional attribute then user would be searched in all domains. This would be required to configure if you have multiple user having same userid but in different domains
                      • 8. Re: Workspace AutoLogin
                        kc@dafolo.dk Level 1
                        Hi again,

                        Thanks for the explanation, however I just realized that what I need is Kerberos authentication with Windows and the LDAP. Can I do this in LC 8.0 and what about LC 8.2 and how?).

                        Sincerely
                        Kim
                        • 9. Re: Workspace AutoLogin
                          Jasmin Charbonneau Level 4
                          The next release of LiveCycle (Update 1) will support SPNEGO which allows you to use the Microsoft kerberos token to authenticate against web applications.

                          This will only work in a Microsoft environment (MS Active Directory, MS domain controller, MS kerberos).

                          Jasmin
                          • 10. Re: Workspace AutoLogin
                            Level 1
                            Samita,

                            Try these settings:

                            In FireFox using the Modify Headers plugin, add and enable these 2 headers:

                            Header 1:
                            Name = Domain
                            Value = DefaultDom

                            Header 2:
                            Name = UserID
                            Value = kvarsen

                            # where username is some known user name. In LDAP it would be DN. If you installed the samples with Livecycle, the kvarsen user id will work.

                            In LiveCycle's Portal Configuration page set these settings:
                            SSO type: HTTP Header
                            Http header for unique identifier: HTTP header for domain: Domain mapping: UserID
                            HTTP header for domain: Domain
                            Domain mapping: Domain=DefaultDom

                            With all this set you'll be able to go the the URL without UID and password prompt:
                            http://[servername]/workspace

                            There's more to a deployed configuration, but this should help for start.

                            Thanks,

                            Todd.
                            • 11. Re: Workspace AutoLogin
                              kc@dafolo.dk Level 1
                              Hi again Jasmin,

                              Can you help me setup the Kerberos single sign on, it does not seem to work as I expected.

                              Sincerely
                              Kim
                              • 12. Re: Workspace AutoLogin
                                Hi Jasmin,
                                If we do not have Active Directory, is there a way to bypass the login screen using cookies? I would need to obviously write some sort of login servlet to handle this, correct? Has this been done before?
                                • 13. Re: Workspace AutoLogin
                                  Jasmin Charbonneau Level 4
                                  If you don't use AD, you can leverage SSO using HTTP Headers.

                                  As you said, you would need to build some servlets to set those up.

                                  I use the Modify Headers Firefox plug-in to test my SSO. This plugin allows you to set the HTTP headers of your browser.

                                  At least you know if you've configured the HTTP Headers properly from adminui.

                                  Jasmin
                                  • 14. Re: Workspace AutoLogin
                                    Hello.

                                    Can you please guide me how to write a servlet that will add http header to a request and forward it to Workspace?

                                    I have written an servlet which uses Requestdispatcher and include or forward method to route request to Workspace context, and while Network monitor shows that some data is routed to Workspace, the Workspace GUI does not show in my browser when I call this servlet I've written directly.

                                    Thanks!
                                    • 15. Re: Workspace AutoLogin
                                      Level 1
                                      So programming servlet i made:

                                      public class CustReq extends HttpServletRequestWrapper{

                                      public CustReq(HttpServletRequest request) {
                                      super(request);
                                      }

                                      @Override
                                      public String getHeader(String name) {
                                      if ("UserID".equalsIgnoreCase(name)) {
                                      return "myuser";
                                      }

                                      return super.getHeader(name);
                                      }

                                      }

                                      And then used in a Filter method:

                                      public void doFilter(ServletRequest arg0, ServletResponse arg1,
                                      FilterChain arg2) throws IOException, ServletException {

                                      CustReq wrapp = new CustReq((HttpServletRequest)arg0);
                                      arg2.doFilter(wrapp, arg1);

                                      }

                                      And finally bound filter to RedirectorServlet which has following code in doGet():

                                      ServletContext context =
                                      getServletContext().getContext("/Workspace_cust/Main.html");
                                      RequestDispatcher rd = context.getRequestDispatcher("/Main.html");
                                      rd.include(req, res);

                                      Then I integrated this classes to Workspace_cust.ear, modifying web.xml and adding .class files.

                                      Now when I navigate with my browser to ../Workspace_cust/RedirectorServlet I get redirected to Main.html as I should be, but there is still login screen! I tested SSO using FF modify headers plugin and also by making servlet like this in doGet:

                                      PrintWriter out = res.getWriter();
                                      out.println("Userid header is " +req.getHeader("UserID"));

                                      And I get the Correct values!

                                      So please help me how do I set/add http headers in Java Servlet.

                                      Thank you in advance
                                      • 16. Re: Workspace AutoLogin
                                        HowardTreisman Level 1
                                        Hi Andrej
                                        I'm not trying to dissuade you from trying, but we've done this, and it was seriously difficult. If you'd like to consider re-using what we've built rather than building it yourself, please see:
                                        http://www.avoka.com/avoka/single_signon.shtml
                                        or send an email to info@avoka.com

                                        Otherwise, good luck! :-)

                                        Howard
                                        • 17. Re: Workspace AutoLogin
                                          Gary Gilchrist Level 1
                                          In LiveCycle ES Update 1 we support the SPNEGO protocol used by Windows to authenticate desktop users to our Web Applications (Workspace, Admin console etc). This works in a Windows Domain using Active Directory.

                                          Also LiveCycle can be configured to rely on SSO products that initially set a user token identifier in HTTP Headers.

                                          Our documentation provides some background info:
                                          http://www.adobe.com/go/learn_lc_administration_82

                                          If you can use one of these approaches, then a nice benefit is that forms opened in Workspace will propagate the same SSO user when they call a LiveCycle Web Service.