Previous Topic

Book Contents

Book Index

Next Topic
Main SSO Configuration

The Single sign-on authentication mode will be used when:

  • Any login configuration supporting the SSO was selected.

    This is any login configuration which contains the 'de.usu.s3.authentication.SimpleLoginModule sufficient s3user="true";' login module. For example, the 'AuthenticationManagerWEBLogon' authentication type.

  • The 'VMWebSSOEnable' mainparameter was set to 'true'.

The SSO in Valuemation is configured by mainparameters. The SSO parameters have the path=’VMWeb’ and their meaning (values) are as follows:

Basic Configuration

  • VMWebSSOEnabled

    Enabling and disabling the SSO for the Web client. Set the value to true to enable the SSO.

  • VMWebSSOType

    Choose and configure the following SSO types offered within Valuemation Web Client:

    • TrustedRemoteUserName - the default setting.
    • NTLM – this option is obsolete and should not be used!
  • VMWebSSOFormSubmitMethod

    Defines a method of sending requests from a client. Set the value to GET or POST.

    Note: It is not used with Valuemation v.4.1 and higher!

  • VMWebSSOUserHTTPHeaderName
    • Set the value to REMOTE_USER to use getRemoteUser() SSO method. This is the default value.
    • Any other value defines the HTTP header name which is used to get the user name when from the HTTP header of the request.
  • VMWebSSOUsers

    Defines the users who will be able to login by SSO.

    Please note the following:

    • This parameter can contain one or more items.
    • Each item must contain an domain user name.
    • More items must be separated by ',' character (e.g. mnorbert,anovak).
    • Each item can contain an domain separated by '@' character (e.g. mnorbert@usu) but the domain can be omitted.
    • All users from a domain can be selected using the *@domain syntax (e.g. *@usu).
    • Each item can contain mapping to a Valuemation user separated by ':' character (e.g. mnorbert@usu:vm,anovak:vm2) but the user mapping can be omitted.
    • All users from a domain who will be in addition mapped to one Valuemation user can be expressed using the *@domain:vmuser syntax (e.g. *@usu:vm).

    Note: By using the '*' character as the only item in the 'VMWebSSOUsers' parameter, you define that the SSO will be used for every user. This is the most common settings – the domain users should exist as Valuemation users with the same names.

Fallback User

The numbered set of fallback users can be used to login guest users into Valuemation. It means the users which do not have any account for their real name provided by SSO.

When the username provided by SSO is not a valid Valuemation user (see the user mapping parameter), a fallback user is used to log in. It is possible to define range of numbers to generate 'numbered fallback user name' - the user name of the fallback user will be a 'common name' followed by a number.

The fallback users will be used one by one and when the maximum number is reached then the 1st fallback user will be used again (round-robin).

Example:

  • common name: fbuser
  • minimum number: 1
  • maximum number: 10

The 'fbuser01, fbuser02, ... fbuser09, fbuser10' fallback users in Valuemation will be used when the user provided by Single Sign On is not a valid user in Valuemation.

The following Mainparameters are used for the configuration of the Fallback user mechanism:

  • VMWebSSOFallbackUser

    Defines the fallback user name. When ‘fbusers numbering’ is used, defines the common name (e.g. ‘fbuser’ in the sample)

  • VMWebSSOFallbackUserNumberMin

    Defines the minimal number used for generating the number suffix of the fallback user name (integer value, e.g. 1)

  • VMWebSSOFallbackUserNumberMax

    Defines the maximal number used for generating the number suffix of the fallback user name (integer value, e.g.: 10).

  • VMWebSSOFallbackDomains

    A comma-separated list of domain names: It defines which domain the actual user has to be assigned in order to be logged in as the Fallback User. If the actual (real) user is not assigned to one of the domains listed in this parameter, the Fallback user login will not take place.

Note: When the min. or max. number is not specified, only one fallback user account is used - just the 'common name'. When the 'common name' is not defined, the fallback users are not used at all.

Logging Unsuccessful Logins into a Table

Every login attempt containing an unknown user name (including those authenticated through the SSO methods) or an invalid password can be recorded (logged) into the AMT_SESSION table.

This logging of unsuccessful logins can be switched on/off within the Global Settings under the Application Monitoring Settings:

Help Image

The login attempts with unknown user names are recorded into the AMT_SESSION table without links to the AMT_S3USER table. First and Last Names are empty (see the first line of the Unsuccessful Logins catalog in the picture bellow).

The login attempts with invalid passwords are recorded with links to the corresponding users into the AMT_S3USER table. The USERCRE attribute is used to record the user names entered into the login dialog.

You can view the logged unsuccessful logins through the catalog 'Unsuccessful Logins' (it is based on the AMT_SESSION table), which is available under the 'Valuemation Core' module:

Help Image

See Also

Single Sign On (SSO)

Additional SSO Configuration

Examples of SSO Configurations

Recommended SSO Methods for Different Environments

Configuration of Browsers