3.3 Configuring Auto-Login for Single Sign-On (SSO)

The Dashboard supports Single Sign-On (SSO) capability through its auto-login function. SSO allows users to gain access to multiple systems (that support SSO) with a single login. For more information about implementing auto-login, see Section 3.3.1, Implementing Auto-Login with Your Web Server. For more information about user access to the Dashboard, see Section 4.0, User Accounts.

In situations where it is necessary to disable direct access to the Dashboard server or operations client, authentication can be verified against the SSO implementation before users are granted access. For more information, see Section 3.3.2, Disabling Direct Client Login.

3.3.1 Implementing Auto-Login with Your Web Server

The Dashboard’s auto-login can be used with any mechanism in which HTTP requests include an HTTP header containing the user name to be auto-logged in. It is most commonly used with the Apache Web server set up as a reverse proxy.

When using a Web server reverse proxy, the security plug‑in can authenticate incoming HTTP requests based on a certificate for a user name. The Web server can then be configured to pass an HTTP header containing the user name of the authenticated user to the Dashboard. If the Dashboard server has been configured to allow auto-login, the user is automatically logged in, bypassing the need for the user to provide a user name and password.

In the above illustration, a Web server is configured as a reverse proxy. The appropriate auto-login header (such as remote-user) is embedded into HTTP requests and the Dashboard server is configured to allow auto-login. Valid Operations Center users (a user that has already been created and exists in Operations Center) are authenticated if the specified HTTP header exists and the Dashboard is configured for auto-login, and the users are automatically logged in to the Operations Center server.

To configure auto-login using the Web server reverse proxy:

  1. Configure the Dashboard for auto-login by updating the Dashboard configuration file.

    1. Open the Operations_Center_Dashboard_installation_path/server/webapps/ROOT/WEB-INF/classes/portal-ext.custom.properties file in a text editor.

      For more information about the portal-ext.custom.properties file, see Section 3.9, Understanding Portal Properties Files.

    2. Add the following line, but do not change the value of the property:

      auto.login.hooks=com.mosol.liferay.authenticator.MOAuth

    3. Add the following line to specify the Web Server Request URIs that allow auto-login:

      mo.autologin.request.uris=.*

      The value defaults to .* for all pages, as shown in the code sample above.

      You can configure this property to a specific page, such as /c/portal/login. If a user has not yet established a portal login and accesses the http://dashboard_host:dashboard_port/c/portal/login page, the auto-login is attempted. However, if any other page is accessed without a previous portal login established, then auto-login is not attempted because the page is not a match for the property’s regular expression.

      To specify more than one specific page, use a pipe character (vertical line) to separate the values. For example, /c/portal/login|/c/portal/layout sets the auto-login to the login page and general layout page. If the general layout page is specified (/c/portal/layout, .*, and so on), then logging out of the portal triggers an immediate attempt to auto-login. If successful, the user is automatically logged in and does not see a login portlet.

    4. Add the following line to request the header containing the principal to auto-login:

      mo.autologin.header=remote-user

      The value of remote-user is an http header only. In this configuration file you do not usually change the line itself or declare specific users.

    5. After saving the file, restart the Dashboard Web server.

      For more information, see Section 2.3.1, Starting the Dashboard.

  2. Configure the Web server to set up the reverse proxy to forward requests from “/” to the Dashboard server URL.

    For more information about configuring the Apache Server reverse proxy, contact Technical Support.

  3. Configure a custom HTTP header by adding a remote-user, or the header specified above in Step 1.d, to contain the value of an existing Operations Center user.

  4. Set up client certificates between the Web server and the Dashboard.

    For more information about setting up a keystore and trust store, see Communications Security in the Operations Center Security Management Guide.

    For more information about configuring Apache for client certificates, contact Technical Support.

3.3.2 Disabling Direct Client Login

When direct access should be disabled to the Dashboard server or operations client, user authentication against the auto-login implementation can be forced before access to the Dashboard or the operations client is granted. This approach provides a single authentication pipeline for all users against the target system.

To disable direct client login:

  1. Open the Operations_Center_Dashboard_installation_path/server/webapps/ROOT/WEB-INF/classes/portal-ext.custom.properties file in a text editor.

    For more information about the portal-ext.properties and portal-ext.custom.properties files, see Section 3.9, Understanding Portal Properties Files.

  2. Add or update the following parameters as shown:

    Client.DisableLogins=true
Client.DisableLogins.AllowedAccounts=admin,guest

    Setting the Client.DisableLogins parameter to True disables logins to the operations client.

    The Client.DisableLogins.AllowedAccounts parameter defines a comma-separated list of accounts that are allowed to log in when the SSO provider is not available and administrators need access to the system.

  3. Save the file, then restart the Dashboard Web server.