Previous Topic

Book Contents

Book Index

Next Topic
Single Sign On (SSO)

Basic Concept

When the SSO mode is used, the username is provided by the user's environment (i.e. the SSO authentication module) which is responsible for the SSO authentication (depends on the environment configuration). The user does not have to enter it into the login dialog.

Help Image

When the user tries to open the Valuemation Web client, the (HTTP) request goes through the authentication module which is responsible for the authentication of the currently logged user into the system and enriches the request with the username before it reaches the Valuemation servlet. The provided username is checked in the Valuemation database whether such a user exists (see the 'SSO users mapping' mainparameter). When there is such a user, he is logged in automatically.

When the SSO authentication fails (e.g. the username is not a valid user in Valuemation), the login dialog is shown prompting you to enter the credentials manually.

Valuemation server can obtain the authenticated SSO username from the request sent to the server in two ways:

  • using the j2ee servlet standard method getRemoteUser()
  • retrieving the username from the HTTP header

These two methods are used when the value of the mainparameter 'SSOType' is set to 'TrustedRemoteUserName'.

Note: This is a default value setting since Valuemation v.4.6.

The Process of Getting the Username from the HTTP Request

  • (A) Retrieving the username from the HTTP header

    Valuemation tries to obtain the username from the HTTP header of the request. The 'VMWebSSOUserHTTPHeaderName' mainparameter defines the name of the HTTP header which is expected to contain the username of the authenticated user. The HTTP header is usually set by some authentication module (e.g. running on web server in front of the servlet engine). For example, this mechanism is used by Kerberos or SAML.

    Using this method is a kind of general approach and is not characteristic of Kerberos only. The important thing is that some authentication module sets the defined HTTP header for the request with the value containing the username. For example, this could be achieved by the 'RequestHeader set' directive on the Apache server (using the mod_headers).

    If domains are used in Valuemation, the content of the HTTP header will be in one of the following formats:

    1. DOMAIN\USER

      Example: demo.domain.com\user.name

    2. USER@DOMAIN

      Example: user.name@demo.domain.com
  • (B) Using the getRemoteUser() method

    The method relies on getting the user login name from the HTTP request by using the standard j2ee method getRemoteUser(). The user login name is provided by an authentication module running on the servlet container (Tomcat, Websphere, …). For example, this is implemented by WAFFLE on Tomcat, internal/native Websphere or Weblogic SSO authentication or some authentication servlet filter, which could be customer-specific.

    This method will be used when the value of the 'VMWebSSOUserHTTPHeaderName' mainparameter is set to ‘REMOTE_USER’ (the default value).

In This Chapter

Main SSO Configuration

Additional SSO Configuration

Examples of SSO Configurations

Recommended SSO Methods for Different Environments

Configuration of Browsers

See Also

Valuemation Web Client

Standard Login Dialog