Configuring Single Sign-On (SSO) Using Integrated Windows Authentication
Loftware Enterprise SP supports Integrated Windows authentication using the Kerberos version 5 protocol. You can use this optional capability along with Lightweight Directory Access Protocol (LDAP) authentication to enable users to bypass the Loftware Enterprise SP sign in screen when connecting to your Loftware Enterprise SP environment.
Note: Single sign-on using Integrated Windows authentication is supported only for Loftware Application Servers that are running a Windows Server operating system.
Note: If you are configuring a multi-site deployment
A configuration of a Loftware environment that includes Loftware instances located at different sites within the same WAN. In a multi-site deployment, each Loftware instance acts as either a headquarters or a facility. of Loftware Enterprise SP, you must sign in to each facility site to configure LDAP or Azure authentication. LDAP or Azure authentication information is not synced from headquarters to facilities.
Before you begin: By default, the Loftware Spectrum service uses the Local System account of the Loftware Application Server. In your Windows Server environment, you must create a Run As user account for the Loftware Spectrum service, and you must register a service principal name (SPN) for the service in conjunction with this Run As user. You must create a keytab file A file containing encrypted credentials for accessing a computer. that you can use to make these credentials available to the Loftware Application Server.
Turn on Kerberos Protocol Support for Loftware Enterprise SP
To support Integrated Windows authentication using Kerberos protocol, you must specify a Run As user for the Loftware Spectrum service, and you must turn on support for Kerberos protocol on the Loftware Application Server.
- On the Loftware Application Server, in the Windows Control Panel, open the Services console and double-click the Loftware Enterprise SP service.
- On the General tab, click Stop to stop the service.
- On the Log On tab, click This account and enter the credentials for the Run As user account that you created for the Loftware Spectrum service.
- Click OK.
- Open the following file in a text editor:
<LOFTWARE_HOME>\product\conf\jdbc.properties- Find the section beginning with # Single Sign On.
- Set security.authentication.scheme to kerberos.
- Set security.kerberos.spn to the service principal name for trust with the domain using the following format. For <hostname>, enter the host name of the Loftware Application Server.
HTTP/<hostname>.<domain>@<DOMAIN> - Set security.kerberos.keytab to the path to the keytab file that you created for the service principal name for the service in conjunction with the Run As user for the Loftware Spectrum service.
- Save and close the file.
Example
# Standard Authentication through UI: default
# Integrated Windows Authentication : kerberos
# Federated SSO using SAML : federated
security.authentication.scheme=kerberos# Additional settings must be set for SSO to work.
# Integrated Windows Authentication:
# You must provide a service principal name and a keytab file to authenticate the received tokens.
security.kerberos.spn=HTTP/spectrum-server.example.com@EXAMPLE.COM
security.kerberos.keytab=c:\\kerberos\\spectrum.keytabNote: The setting security.kerberos.enabled has been deprecated. You can continue to use this setting, if you use Kerberos. If you switch SSO providers, you must use the security.authentication.scheme setting, and remove the security.kerberos.enabled setting.
- Delete the following file if it exists:
<LOFTWARE_HOME>\product\jms-data\db-1.log - In the Windows Control Panel, open the Services console and start the Loftware Spectrum service.
Configure LDAP Authentication and User Accounts
To support Integrated Windows authentication using Kerberos protocol, you must configure LDAP authentication and create user accounts in Loftware Enterprise SP.
Note: To perform this task, you must be signed in as the ClientAdmin, SystemAdmin, or SuperAdmin user. For more information, see
- Display the Loftware Enterprise SP sign in screen by typing the URL for connecting to Loftware Enterprise SP into a web browser, appending ?showLogin=true to the end of the URL, and then submitting the URL.
Example
http://spectrum-server.example.com:8080/loftwarespectrum?showLogin=true
- Sign in to Loftware Enterprise SP and go to System
- Create a new LDAP authentication.
- For Domain Name, enter a unique name for the LDAP server configuration that identifies the domain represented.
- For Provider URL, enter the LDAP URL to be used by Loftware Enterprise SP when establishing a connection to the LDAP server. Either LDAP or LDAP over SSL (LDAPS) may be used.
- Select an Authentication Type:
- Search and Bind: Use the Search Base and Search Filter to find the user distinguished name (DN), and then attempt to bind with the user DN and password.
- Search and Compare: Use the Search Base and Search Filter to find the user DN, and then attempt to use the LDAP Compare operation with the Password Attribute.
- Bind Only: Attempt to bind with the user DN and password by using the User DN Patterns.
- Compare Only: Attempt to use the LDAP Compare operation with the Password Attribute and the User DN Patterns.
- If you selected Bind Only or Compare Only for Authentication Type, enter a User DN Pattern.
Example
uid={0}
- If you selected Search and Bind or Search and Compare for Authentication Type, enter a Search Filter.
Example: OpenLDAP
(uid={0})
- Click Save.
- Configure user accounts in Loftware Enterprise SP. For users who will sign in using single sign-on, the username must be the same as their domain username. For more information,
Note: Web browsers on Loftware Enterprise SP client computers must be configured to support the Kerberos protocol. For more information, refer to the documentation for web browsers supported by your organization.
Tip: Administrators may need to sign in to Loftware Enterprise SP using non-domain accounts. You can access the Loftware Enterprise SP sign in page by appending ?showLogin=true to the URL that you use to sign in to Loftware Enterprise SP.