SSO authentication setup

This topic describes how to set up SSO authentication for logging in to Connect.

Note: Using the Open Sign-on Protocol (OSP) with an Active Directory LDAP server is the only certified SSO configuration.

Prerequisites

Prepare the following for SSO configuration.

LDAP server preparation

Preparation Details
Connection prerequisites for the LDAP server

Prepare the following for the connections to the LDAP server:

  • Host name or IP address of the LDAP server

  • LDAP port for the specific server

    OpenText recommends that you use LDAP connections over TLS (LDAPS).

  • DN for users' organization unit

  • DN and password for a service user that can log in to the LDAP server and perform queries.
Authorization schemes

There are two possible scenarios with SSO configuration:

  • Authorization through LDAP group membership

    It is required to prepare groups for Site, Admin, and User roles and add necessary users into the groups.

  • Authorization through Connect configuration

    This scenario requires that an active user with Site permissions should create users with LDAP UserPrincipleName (for example, login@domain) and required roles.

Local DNS preparation

The capability of OSP to handle full names in incoming URLs depends on local DNS configuration. Therefore, ensure proper DNS configuration in the system where Connect with OSP is installed.

  1. Make sure that the FDQN (for example, host.domain.com) is resolvable and reachable from outside and inside of the host with a ping command. For example, ping host.domain.com.

  2. Make sure that the host's DNS configuration is set properly.

    OS Details
    Windows

    1. Run cmd.exe.

    2. Run the following command:

      echo %COMPUTERNAME%.%USERDNSDOMAIN%

    3. Ensure that you see the FDQN.
    Linux

    1. Open a terminal.

    2. Run the following command:

      hostname --all-fqdns

    3. Ensure that you see the FDQN from the host list.

Back to top

Configure SSL/TLS in Tomcat

Set up the SSL/TLS configuration in Tomcat as follows:

  • Make sure that there is a JKS/PKCS12 keystore file with a certificate for the specific host name.

    For example, if the host name is host.domain.com, you should have the certificate for this specific name in this keystore.

    For details about SSL/TLS configuration, see SSL/TLS configuration.

  • Verify that inbound HTTPS connections work, for example with the URL: https://host.domain.com/ConnectWeb.

Back to top

Configure SSL trust in JRE

Make sure that the installed certificate is trusted by Connect itself. For details, see Install SSL certificates.

Back to top

Configure OSP server application

Follow the steps below to configure the OSP server application.

  1. Open the <install-dir\>\AppData\osp-server-configuration\osp-server-configuration.properties file in a text editor.

  2. Set the following properties in the file.

    Property Description
    com.microfocus.mfc.osp.ds-ldap.host The LDAP server host name or IP address.
    com.microfocus.mfc.osp.ds-ldap.use-tls Set to true when connecting to a secure port.
    com.microfocus.mfc.osp.ds-ldap.port The LDAP server port number.
    com.microfocus.mfc.osp.ds-ldap.service-user-dn The LDAP service user DN.
    com.microfocus.mfc.osp.ds-ldap.service-user-pwd

    The LDAP service user's password.

    Note: The password can be encrypted using the mfcEncryptPassword utility. For details, see Encrypt passwords with mfcEncryptPassword.
    com.microfocus.mfc.osp.as-ldap.users-container-dn DN for users' organization unit.
    com.microfocus.mfc.osp.authorization.enabled

    Set to true to enable authorization through LDAP group membership.

    Set to false to disable authorization through LDAP group membership.

    com.microfocus.mfc.osp.authorization.site-admins-ag-dn

    com.microfocus.mfc.osp.authorization.admins-ag-dn

    com.microfocus.mfc.osp.authorization.users-ag-dn

    		 DNs for Site, Admin, and User role groups respectively.
    com.microfocus.mfc.oauth.client.id Random client ID value. Use only alphabetic characters in different cases. For example, randomUserName, RANDOMUserName, randomUserName.
    com.microfocus.mfc.oauth.client.secret

    Random client secret.

    Note: The secret can be encrypted using the mfcEncryptPassword utility. For details, see Encrypt passwords with mfcEncryptPassword.
    com.microfocus.mfc.oauth.client.callback-host Connect host name.

    com.microfocus.mfc.signing-keystore.key.pwd

    com.microfocus.mfc.signing-keystore.pwd

    com.microfocus.mfc.encrypting-keystore.key.pwd

    com.microfocus.mfc.encrypting-keystore.pwd

     

    		 Passwords for the generated auxiliary keystores with keys (osp-encrypting-keys.pkcs12 and osp-signing-keys.pkcs12).

  3. Before the first start with the new configuration, from the <install-dir\>\AppData\osp-server-configuration directory, remove the osp-encrypting-keys.pkcs12 and osp-signing-keys.pkcs12 files.

Back to top

Configure OSP filter

Follow the steps below to configure the OSP filter.

  1. Open the <install-dir>\AppData\osp-filter-configuration.properties file in a text editor.

  2. Set the following properties.

    Property Description
    osp-filter-enabled Set to true to enable OSP SSO filter.
    osp-server-host Connect host name.
    osp-server-port Connect TLS port. For example, 443.

    osp-client-id

    		 The same as the value of com.microfocus.mfc.oauth.client.id.
    osp-client-secret

    The same as the value of com.microfocus.mfc.oauth.client.secret.

    Note: The secret can be encrypted using the mfcEncryptPassword utility. For details, see Encrypt passwords with mfcEncryptPassword.

Back to top

Validate SSO authentication

Verify if SSO authentication is successfully set up.

  1. Restart the server.

  2. Log in to Connect with your LDAP login name and password.

Back to top