{"id":1291,"date":"2014-09-05T16:08:38","date_gmt":"2014-09-05T16:08:38","guid":{"rendered":"https:\/\/ephesoft.com\/docs\/?p=1291"},"modified":"2020-12-03T14:48:25","modified_gmt":"2020-12-03T21:48:25","slug":"single-sign-on","status":"publish","type":"docs","link":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/single-sign-on\/","title":{"rendered":"Single Sign On"},"content":{"rendered":"
Single sign-on<\/b>\u00a0(SSO<\/b>) is a mechanism of\u00a0access control\u00a0that can be applied on multiple related, but independent\u00a0software\u00a0systems. With this mechanism a user\u00a0logs in\u00a0once and gains access to multiple systems without being prompted to log in again for each individual application. Conversely,\u00a0single sign-off<\/b>\u00a0is property mechanism whereby a single action of signing out terminates access to multiple software systems.<\/p>\n
As different applications and resources support different\u00a0authentication\u00a0mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication.<\/p>\n
Ephesoft Transact has been tested with the following SSO-related components:<\/p>\n
For additional information about configuring SAML 2.0 SSO with Ephesoft Transact, please refer to the following document:<\/p>\n
Manually Configuring SAML 2.0 SSO for Ephesoft Transact 4.5.0.x<\/a><\/p>\n For additional information about CAS-based SSO with Ephesoft Transact, please refer to the following document:<\/p>\n SSO | CAS-Based SSO Framework<\/a><\/p>\n Ephesoft Transact has been tested with the following SSO-related components (refer to the Overview at the start of this document for additional information):<\/p>\n If you would like to deploy SSO with another identity provider, please feel free to contact Support by emailing us at tickets@ephesoft.com<\/p>\n Follow are the basic design patterns used to implement single sign on solutions.<\/p>\n Applications use symmetric and public key cryptography to encrypt the application data that are used for SSO.\u00a0Refer to the following illustration:<\/p>\n <\/a><\/p>\n This SSO design can be integrated with Ephesoft using Active Directory only. A key store has to be maintained in all the applications which are to be unified under SSO. Thus such a provision must be available on applications which are to be unified under SSO.<\/p>\n Pros:<\/b><\/p>\n Cons:<\/b><\/p>\n This approach supports identity providers (IdPs) such as OAM, SiteMinder, and so on.\u00a0<\/span><\/p>\n In this approach, the Ephesoft application uses the service provided by SSO agents. Refer to the following illustration.<\/p>\n <\/a><\/p>\n The Ephesoft solution is currently based on this design (design # 2).<\/b><\/p>\n Ephesoft application can now be configured using following security types:<\/p>\n The security type for the Ephesoft application can be configured in the web.xml <\/i>file.<\/p>\n The following properties must be configured in the web.xml file:<\/p>\n 1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 authenticationType<\/b>\u00a0\u2014 context parameter for defining the security type mentioned above.<\/p>\n This property can be configured with the following values:<\/p>\n Refer to the following illustration:<\/p>\n <\/a><\/p>\n 2.\u00a0 \u00a0 \u00a0 \u00a0When configuring the authenticationType<\/b>\u00a0parameter cited above with a value of\u00a0 1<\/b>\u00a0or 2<\/b>, then following parameters also must be configured:<\/p>\n A.\u00a0 \u00a0 \u00a0 The following parameters needs to be configured for the authenticationFilter<\/b>\u00a0filter:<\/p>\n Refer to the following illustration for examples of these parameters:<\/p>\n <\/a><\/p>\n B.\u00a0\u00a0\u00a0\u00a0\u00a0 All the <security-constraint><\/b>\u00a0and <login-config> <\/b>settings must\u00a0be commented<\/b> or deleted <\/b>because these components are managed by the SSO agent.<\/p>\n C.\u00a0\u00a0\u00a0\u00a0\u00a0 A default_group<\/b>\u00a0property has been added in the application.properties<\/b>\u00a0file. This setting defines a default group to be used in case the group name is not provided in the request header.\u00a0(This must be used only for security type 2.)<\/p>\n IMPORTANT: <\/b>For security types 1<\/strong> and 2<\/strong>, any realm configured for the Ephesoft application (configured for earlier shared releases) needs to be removed.<\/p>\n Ephesoft Transact must be configured with the following settings, along with other configurations communicated from Ephesoft:<\/p>\n Remove the new session timeout feature in cases where the authentication type is set to 1 or 2. 1. Comment the SessionTimeoutFilter<\/i>\u00a0<\/strong>and SessionTimoutServlet<\/i>\u00a0<\/strong>entries in\u00a0 the\u00a0web.xml file.<\/i><\/p>\n Refer to the following illustration as a sample of these settings:<\/p>\n\n
\n
Benefits<\/span><\/h3>\n
\n
\n
Challenges<\/span><\/h3>\n
\n
Supported Identity providers<\/span><\/h3>\n
\n
\n
Designs<\/span><\/h3>\n
1. \u00a0Ad-hoc Encrypted Token \u2014 Not currently supported<\/span><\/h3>\n
\n
\n
2. Using Third-party SSO Agents or Identity Management Systems (IdPs) \u2014 Supported Method<\/span><\/h3>\n
Description<\/span><\/h3>\n
\n
\n
\n
Defining Session Timeout Settings<\/h2>\n
\nPerform the following steps:<\/b><\/p>\n