Web Service Single Sign-On

As with many other PPM Web components, PPM Web services is able to integrate with most industry-standard single sign-on (SSO) systems such as CA SiteMinder, Oracle Identity Management, RSA Sign-On Manager, and IBM Tivoli Access Manager through pluggable authentication frameworks. PPM provides a log-in module for SiteMinder. For other SSO systems, additional customization may be required.

You can integrate with SiteMinder using the PPM SiteMinder Log-in Module. When this authentication mode is used, PPM authenticates users to SiteMinder, and does not store user passwords in the PPM database.

PPM Server Configuration

From the PPM server side, you can add the following parameters into the server.conf file:

  • To allow SiteMinder Login Module to be invoked for Web service user authentication, set the following parameter:

    com.kintana.core.server.ENABLE_WEBSERVICE_SSO=true

  • To choose SiteMinder to be the authentication mode, set the following parameter:

    com.kintana.core.server.authethentication_mode=SiteMinder
    Note: If SiteMinder is chosen as the only authentication mode, any individual user's authentication mode that was set through the workbench user page would be overwritten by this mode.

  • To make PPM Web application use single sign-on mode, set the following parameter:

    com.kintana.core.server.SINGLE_SIGN_ON_PLUGIN=com.kintana.sc.security.auth.SiteMinderSingleSignOn.

Integration with a Client-Side Log-In Module

To complement the integration with client-side log-in module, follow these steps:

  1. Develop a Java Authentication and Authorization Service (JAAS) log-in module that authenticates with the SSO system and receives an SSO token. The token could be set as a private credential in the Subject class.

    PPM has already provided such a module:

    com.kintana.sc.security.auth.SiteMinderLoginModule
  2. Create the JAAS configuration file under the $WebServiceToolkit/java/conf directory

    Example:

    #authentication.conf
    SiteMinder {
    com.kintana.sc.security.auth.SiteMinderLoginModule required
    debug=true;}
  3. Specify the JAAS login configure system property in the command lines used to invoke the Web services in the compile_client.bat file

    Example:

    java -Dclient.repository.dir=%WSCLIENT_HOME% -classpath
    %CPATH%
    -Djava.security.auth.login.config==%WSCLIENT_HOME%/conf/
    authentication.conf
    examples.pm.ProjectServiceClient https://localhost:8443/itg/
    ppmservices/ProjectService "kevin8"
  4. Add logic in the Web service client to invoke JAAS login

    Examples:

    public Subject login() {
        LoginContext lc = null;
             lc = new LoginContext(
        " MyCustomModule ",
        myCallbackHandler
    );
        lc.login();
        return lc.getSubject();
        }
  5. Add the SSO token as cookie in the Web service client.

    Examples: Set a HTTP cookie in axis2 Web service client.

    public void setSSOCookie(Stub stub, String ssoToken) {
             List headers = new ArrayList();
    
             //Set the required session variable for SSO system
             Header header = new Header(
                "Cookie",
                "SMSESSION=" + ssoToken
               );
             headers.add(header);
      
              ServiceClient client = stub._getServiceClient();
              Options option = client.getOptions();
              option.setProperty(HTTPConstants.HTTP_HEADERS,
    headers);
         }
  6. Call the corresponding method to set the SSO cookie after a stub is created.

  7. Make the desired Web service request with the SSO cookie you set.