Single sign-on (SSO) with Windows client, WebSphere, AD and TRIRIGA

[nicolas....@gmail.com]

Hi all,

I have "successfully" setup SSO in WebSphere for TRIRIGA with LDAP / Active Directory user registry.

However, I have a remaining problem between the Windows (IE) client and WebSphere: the browser pops up the Windows Security credential prompt dialog (pre-filled with username and password) after the *browser* is restarted.

I have noticed that the User name field is blank in the Windows Vault credentials, which is a different behavior as compared to our MS CRM SSO behavior.

Even if it is blank, the Windows Security prompt comes up pre-filled and does authenticae me successfully if I click the OK button after recreating a browser session and accessing the TRIRIGA site.

I thought that this might be related to these settings in WebSphere Global security -> Web Security - General settings :

But if I check the other options, I do not get prompted (apparently no authentication challenge is sent to the client),

Has anyone gone through this before ? Do I have to enable SSL, for SSO to fully work with this configuration ?

Thanks in advance for your thoughts on this problem..

Nicolas

[nicolas....@gmail.com]

I have attached the embedded images to this message.

On Friday, July 18, 2014 7:02:36 AM UTC-4, nicolas....@gmail.com wrote:

Hi all,

I have "successfully" setup SSO in WebSphere for TRIRIGA with LDAP / Active Directory user registry.

However, I have a remaining problem between the Windows (IE) client and WebSphere: the browser pops up the Windows Security credential prompt dialog (pre-filled with username and password) after the *browser* is restarted.

I have noticed that the User name field is blank in the Windows Vault credentials, which is a different behavior as compared to our MS CRM SSO behavior.

Even if it is blank, the Windows Security prompt comes up pre-filled and does authenticae me successfully if I click the OK button after recreating a browser session and accessing the TRIRIGA site.

I thought that this might be related to these settings in WebSphere Global security -> Web Security - General settings :

<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAtgAAAFkCAYAAAAaM0yWAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAE5OSURBVHhe7d1/iF3nfe/7pV63yAe3SAfnoLnIl4yxLx3jQGVOIRLxH5ZxIAopxCaFSKSQ6pxCLHOhtWpo4xMuuU4LrpzCwUogp0qgQQo02IETokCM5D8cpEKLFXDwBGy8zY3oiFNzJG7F8Zwetbr7vfb+znzn0Vp79p5ZM7Oleb/M8t57/XjWs561Zu/PevYzox03+ypJkiRJnfiV4aMkSZKkDhiwJUmSpA4ZsCVJkqQOGbAlSZKkDhmwJUmSpA4ZsCVJkqQOGbAlSZKkDhmwJUmSpA4ZsCVJkqQObUrAfvUHr1ZXrlypn5/98dlq/hfz9XNtrTPfPTN8Nl24VrhmwmbX89R/OVVPcc3i0t9fqs6/fn74SpIkqd1E/1Q6IePNS28OX1XVI/seqfb9+33DV+0ISwf2H6j27NlTB+zZ2dlq7jfnhkvbEXB+9MMfDV8174+yZ++bXZpfvi7LwIFHDyztn/D24eKH9XN8+jOfruuZUebVD67Wz4/+x6P1YyB09d7t1c9zueBG4sIbF+rnd++8uzr8hcP18zCqXETddt+7u3rys08O5w5uUhYuLyxtQx12//rusc5FRvllnZqsVk+Os9frVYc+dWg4Z1nUNTS1b4lzduHihaVjHqee5bU5zn6aUA5oywjUBx87WM+/+k9X6+frxfHsundXY3utxTjX8Di4qUB5vYW1XmeSJG03Y/dgE6IIMASsmHq/HATLjUIwJrTG/tj/Wnq/Cbe53mW4J5Awn32xz7LncufOnfXy2Qdm68AYWO/K5StL2176u0E4C7yO+u+8Z+dSeMOockGo3bN3T728KezM7J3ZlB7VceoZNxEl6re4uFhvy0RbvD3/9nBp92iT2M/519bWNoRozhUI010E6ozrl3B97YNrwznrQxvHdRLTWsI155UbWLZHvlZB+I4bSUmSNNrYAZseSj6AszL48WEfX6+XH9BNCBuxfp5iGT1pOQyzf+qxUdgXITKHwIV/XKhmPjJTP39o7qEVwYieWcISop45nBPUFhaWe28JgGFUuZRBj/GocMe3AIT7NvRqRnvmOuVzlHs9WSfmE5rDqHqCa6C8LgL145uLQBuVx8S+Yr+5nuuxe9fu4bMByi33k9uB57EeIZIbBtZnftt1TCCN7fNNX54fU74p4frl3HHdlDeL7D+ft7wd82MZjxk3MU0oPx83x5LLZFnUgfMa1yffAHHeM4J3vn4lSVK7sQM2H+LRs9eED+pr164t9aLNz6/e00zgivXzhMXr/f3tvHV/bWFiFIJkhAymMthkfAW+ln00mZubqwMb+8S4PYtXrw2GY0R9CUJN6LmMcJgxL3o16c1luAXKc0TPfqDHN3ryd+3aNdYN0mpo91HHTD3ZF/tk31HP9eLGp7xWuWGJ40Z888DEc8ItdSVE0mZN3xqEaJvYPn9zwbCPmB9THgpCkK1v5Pohu+1mMbZjXeoVDj5xsJ5POI86xA1LXCs5QIOfoyiPoR1xgxTlxo2hJEnqztgBm7DLh3UblhFi4oOecJXDQRMCX6yfJxCQmoJuGbqbQngZrlYbIpLVQwQaylwLekJjnwTJpjDcht772BZNgZdw1fS1Pe02MzPobeRY47zxSD2acL4YHkP7UybtsF60+6hrgHrGDQj7HnV9jYNgTVkMJco956A9Azcw8c0DeB43NeOgbWJfTPmbgFE92FzvcbPHtZHHpod87Zb1ipsVvlHI5yeHeto0Xyv5OMGNF8v5loaeakmS1L2xAzYf6vmXyJB7VgkGMQY2ptV6bEf1YLOMwJ7DAvun5y8jDOevs9mmHCIwLgIQgY+hEIHjjvLzkBBwvGWPYHnMMb+8WRhVbhx7Vt40BIa0lCG7bpPh0BSOKbblkR7sJuVNSPSMjqrnalg390pTl3yTQT1j3C/TOL9wSRnlEImQr79R1x7XR5w38HySa4ZvOWj32BdTGNWDTY91jMlnor4cT5u2enE+qAMI7+VNTNu1Aq5tfneC6yD/siLnKgI/5XPeJUnS2uxYz18RISzk3mDCUw57hAgQxDfqr4iAwBW9iASfPM63LAO53nlbNP0FBuofgTeOKeRjLtsjtxcBtgyQo8rN2xLE8jCDsg3pES3bJh9XPqa8T8R+R7X1qHq2lReoa+6pHbV9/PUK6tL2V0Ro76a/ZEF7EQxzO4WyPOTzlq+Z3LZ5X5RPr3FeL46r6dw24Tzl4ydcM5Qq6jXqHOTzma+H8mcyHwvlE+rLNqHN+SYj/5yA+qHpr4jEMjQtlyRJyyYK2FuJgMEY1FE9k7rzEQ7v1HDXdCMQ8k2GJEmabmMPEdlq/MIgvXsEDW1f9pxKkqRpN1YPNr98Nv/u6n8VRJIkSdrubpshIpIkSdLt4LYZIiJJkiTdDgzYkiRJUocM2JIkSVKHDNiSJElShwzYkiRJUocM2JIkSVKHDNiSJElShwzYkiRJUocM2JIkSVKHDNiSJElShyb+p9Jn7pupjn7x6PCVJEmSND12795dXb16dfhqPF/7f75Wffk/fXn4ajyXfnap6r3Tq96ef3s4Z9nEAfv+2furfc/9aPhKkiRJmh47d+4cPmtxY7FavLHy+dk/eqQ6/O33hjNbNGy3+MPj1bnz54Yzl23YEJHTX5yrjj46M3zV7tDHdtfrrsWJz83W07QZ99glSZLUvd13rZweuvfu6sDeu+vH3f0APnPPzvpx5139MN4Py6HcbsU0YrvSugL285+arV750tyKaW7PKncN28CR78xXp95YqJ/TRtN4EyBJknRHSsF3rh+qn/zt3dWhj+2qDjy4q348OLe7Yo0PFxerxf5ULX44WLkIzLyqe6nTdLW//i3bNVhzwCY0Eqaf+ub80nTqp1fsuZUkSdKWIQjXj/3p2vWqmv/lYvXKpYXq/Py16ur1xWrXPf3

...

[nicolas....@gmail.com]

It is finally working! I had quite a few things missing...

I used WebSphere with SPNEGO. The TRIRIGA application also needs a security constraint for HTTP GET and POST in web.xml. This last part gave me a hard time (use the snoop servlet to validate SPNEGO is correctly configured and derive the security constraint from its web.xml). Also the security to user/group mapping must be set to all authenticated in realm.

The key document I used from IBM was :

WebSphere with a side of SPNEGO

Configuring SPNEGO in

WebSphere 6.1, 7 and 8 Environments

Using Microsoft Active Directory

(Version 4)

On Friday, July 18, 2014 7:02:36 AM UTC-4, nicolas....@gmail.com wrote:

Hi all,

I have "successfully" setup SSO in WebSphere for TRIRIGA with LDAP / Active Directory user registry.

However, I have a remaining problem between the Windows (IE) client and WebSphere: the browser pops up the Windows Security credential prompt dialog (pre-filled with username and password) after the *browser* is restarted.

I have noticed that the User name field is blank in the Windows Vault credentials, which is a different behavior as compared to our MS CRM SSO behavior.

Even if it is blank, the Windows Security prompt comes up pre-filled and does authenticae me successfully if I click the OK button after recreating a browser session and accessing the TRIRIGA site.

I thought that this might be related to these settings in WebSphere Global security -> Web Security - General settings :

<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAtgAAAFkCAYAAAAaM0yWAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAE5OSURBVHhe7d1/iF3nfe/7pV63yAe3SAfnoLnIl4yxLx3jQGVOIRLxH5ZxIAopxCaFSKSQ6pxCLHOhtWpo4xMuuU4LrpzCwUogp0qgQQo02IETokCM5D8cpEKLFXDwBGy8zY3oiFNzJG7F8Zwetbr7vfb+znzn0Vp79p5ZM7Oleb/M8t57/XjWs561Zu/PevYzox03+ypJkiRJnfiV4aMkSZKkDhiwJUmSpA4ZsCVJkqQOGbAlSZKkDhmwJUmSpA4ZsCVJkqQOGbAlSZKkDhmwJUmSpA4ZsCVJkqQObUrAfvUHr1ZXrlypn5/98dlq/hfz9XNtrTPfPTN8Nl24VrhmwmbX89R/OVVPcc3i0t9fqs6/fn74SpIkqd1E/1Q6IePNS28OX1XVI/seqfb9+33DV+0ISwf2H6j27NlTB+zZ2dlq7jfnhkvbEXB+9MMfDV8174+yZ++bXZpfvi7LwIFHDyztn/D24eKH9XN8+jOfruuZUebVD67Wz4/+x6P1YyB09d7t1c9zueBG4sIbF+rnd++8uzr8hcP18zCqXETddt+7u3rys08O5w5uUhYuLyxtQx12//rusc5FRvllnZqsVk+Os9frVYc+dWg4Z1nUNTS1b4lzduHihaVjHqee5bU5zn6aUA5oywjUBx87WM+/+k9X6+frxfHsundXY3utxTjX8Di4qUB5vYW1XmeSJG03Y/dgE6IIMASsmHq/HATLjUIwJrTG/tj/Wnq/Cbe53mW4J5Awn32xz7LncufOnfXy2Qdm68AYWO/K5StL2176u0E4C7yO+u+8Z+dSeMOockGo3bN3T728KezM7J3ZlB7VceoZNxEl6re4uFhvy0RbvD3/9nBp92iT2M/519bWNoRozhUI010E6ozrl3B97YNrwznrQxvHdRLTWsI155UbWLZHvlZB+I4bSUmSNNrYAZseSj6AszL48WEfX6+XH9BNCBuxfp5iGT1pOQyzf+qxUdgXITKHwIV/XKhmPjJTP39o7qEVwYieWcISop45nBPUFhaWe28JgGFUuZRBj/GocMe3AIT7NvRqRnvmOuVzlHs9WSfmE5rDqHqCa6C8LgL145uLQBuVx8S+Yr+5nuuxe9fu4bMByi33k9uB57EeIZIbBtZnftt1TCCN7fNNX54fU74p4frl3HHdlDeL7D+ft7wd82MZjxk3MU0oPx83x5LLZFnUgfMa1yffAHHeM4J3vn4lSVK7sQM2H+LRs9eED+pr164t9aLNz6/e00zgivXzhMXr/f3tvHV/bWFiFIJkhAymMthkfAW+ln00mZubqwMb+8S4PYtXrw2GY0R9CUJN6LmMcJgxL3o16c1luAXKc0TPfqDHN3ryd+3aNdYN0mpo91HHTD3ZF/tk31HP9eLGp7xWuWGJ40Z888DEc8ItdSVE0mZN3xqEaJvYPn9zwbCPmB9THgpCkK1v5Pohu+1mMbZjXeoVDj5xsJ5POI86xA1LXCs5QIOfoyiPoR1xgxTlxo2hJEnqztgBm7DLh3UblhFi4oOecJXDQRMCX6yfJxCQmoJuGbqbQngZrlYbIpLVQwQaylwLekJjnwTJpjDcht772BZNgZdw1fS1Pe02MzPobeRY47zxSD2acL4YHkP7UybtsF60+6hrgHrGDQj7HnV9jYNgTVkMJco956A9Azcw8c0DeB43NeOgbWJfTPmbgFE92FzvcbPHtZHHpod87Zb1ipsVvlHI5yeHeto0Xyv5OMGNF8v5loaeakmS1L2xAzYf6vmXyJB7VgkGMQY2ptV6bEf1YLOMwJ7DAvun5y8jDOevs9mmHCIwLgIQgY+hEIHjjvLzkBBwvGWPYHnMMb+8WRhVbhx7Vt40BIa0lCG7bpPh0BSOKbblkR7sJuVNSPSMjqrnalg390pTl3yTQT1j3C/TOL9wSRnlEImQr79R1x7XR5w38HySa4ZvOWj32BdTGNWDTY91jMlnor4cT5u2enE+qAMI7+VNTNu1Aq5tfneC6yD/siLnKgI/5XPeJUnS2uxYz18RISzk3mDCUw57hAgQxDfqr4iAwBW9iASfPM63LAO53nlbNP0FBuofgTeOKeRjLtsjtxcBtgyQo8rN2xLE8jCDsg3pES3bJh9XPqa8T8R+R7X1qHq2lReoa+6pHbV9/PUK6tL2V0Ro76a/ZEF7EQxzO4WyPOTzlq+Z3LZ5X5RPr3FeL46r6dw24Tzl4ydcM5Qq6jXqHOTzma+H8mcyHwvlE+rLNqHN+SYj/5yA+qHpr4jEMjQtlyRJyyYK2FuJgMEY1FE9k7rzEQ7v1HDXdCMQ8k2GJEmabmMPEdlq/MIgvXsEDW1f9pxKkqRpN1YPNr98Nv/u6n8VRJIkSdrubpshIpIkSdLt4LYZIiJJkiTdDgzYkiRJUocM2JIkSVKHDNiSJElShwzYkiRJUocM2JIkSVKHDNiSJElShwzYkiRJUocM2JIkSVKHDNiSJElShyb+p9Jn7pupjn7x6PCVJEmSND12795dXb16dfhqPF/7f75Wffk/fXn4ajyXfnap6r3Tq96ef3s4Z9nEAfv+2furfc/9aPhKkiRJmh47d+4cPmtxY7FavLHy+dk/eqQ6/O33hjNbNGy3+MPj1bnz54Yzl23YEJHTX5yrjj46M3zV7tDHdtfrrsWJz83W07QZ99glSZLUvd13rZweuvfu6sDeu+vH3f0APnPPzvpx5139MN4Py6HcbsU0YrvSugL285+arV750tyKaW7PKncN28CR78xXp95YqJ/TRtN4EyBJknRHSsF3rh+qn/zt3dWhj+2qDjy4q348OLe7Yo0PFxerxf5ULX44WLkIzLyqe6nTdLW//i3bNVhzwCY0Eqaf+ub80nTqp1fsuZUkSdKWIQjXj/3p2vWqmv/lYvXKpYXq/Py16ur1xWrXPf3

...