Enabling Web Single Sign-On

You can enable Web Single Sign-On (SSO) by running SQL commands in the SQL interface. You must be a global administrator to enable Web SSO.

Before you begin

Note: When a user is authenticated, Web SSO adds HTTP headers to each user request and ensures that headers are not in requests that are made by users who are not authenticated.

Procedure

  1. Configure your Web SSO solution.
    1. Configure at least one HTTP header to contain the user name of the authenticated user. This user name will be used to match with the login name of a Web SSO user in Rational Focal Point.
      Note: In addition, two more HTTP headers can be configured with values. The values of these additional headers are only used to check for the existence of the headers in Rational Focal Point. A header of any type can be configured in the Web SSO server as Rational Focal Point can check for these headers.
    2. Include the headers in each HTTP request that is sent to Rational Focal Point.
  2. Configure Rational Focal Point.

    Rational Focal Point can check a maximum of three HTTP headers that are sent by the Web SSO server. Rational Focal Point checks the following three headers by default: HTTP_SM_AUTHENTIC, HTTP_SM_AUTHORIZED, HTTP_SM_USER. Rational Focal Point checks the HTTP_SM_USER header for the user name and matches with the login names of Web SSO users. The headers HTTP_SM_AUTHENTIC, HTTP_SM_AUTHORIZED are only checked for existence. These headers must contain a valid value but the value is not checked.

    • Rational Focal Point must be configured again if the headers that are sent by the Web SSO server is different than the default headers. Rational Focal Point must map the default header name to the actual header name that is sent by the Web SSO server. For example, to configure Rational Focal Point to check for ACTUAL_HEADER_NAME instead of the default header HTTP_SM_AUTHENTICATE during Web SSO login, the administrator must run the following SQL query once:

      insert into configurationproperties (name,value) values ('HTTP_SM_AUTHENTIC','ACTUAL_HEADER_NAME').

      The same query can be run to map the other two default headers.
    • Rational Focal Point must be configured again if the headers that are sent by the Web SSO server is less than three headers. For example, if the Web SSO server sends only the SSO_USER_HEADER header, Rational Focal Point must be can be configured to check only the header that is sent. To map the default headers to SSO_USER_HEADER, the administrator must run the following SQL queries once:
      • insert into configurationproperties (name,value) values ('HTTP_SM_AUTHENTIC','authentic_header_name')
      • insert into configurationproperties (name,value) values ('HTTP_SM_AUTHORIZED','authorized_header_name')
      • insert into configurationproperties (name,value) values ('HTTP_SM_USER','user_header_name')
  3. Click Advanced > SQL.
  4. At a command prompt, type update configurationproperties set value='true' where name='websso.enable'
  5. Restart the server.
  6. Click Users > Manage Users. For the users who you want to authenticate by using Web SSO, set the Authentication attribute to Web Single Sign-On.

Feedback