Enabling Web Single Sign-On

You can enable Web Single Sign-On (Web SSO) by running SQL commands in the SQL interface. You must be a global administrator to enable Web SSO.

Before you begin

Note: HTTP headers are added to each user request for all authenticated users who use Web SSO. These headers are not added in the requests that are made by users who are not authenticated.

About this task

Rational Focal Point can check a maximum of three HTTP headers that are sent by the Web SSO server. Rational Focal Point checks the following three headers by default:

  • HTTP_SM_AUTHENTIC: Checked for existence. The headers must contain a valid value but the value is not checked.
  • HTTP_SM_AUTHORIZED: Checked for existence. The headers must contain a valid value but the value is not checked.
  • HTTP_SM_USER: Checked for the user name and matched with the login names of Web SSO users.

If the headers that are sent by the Web SSO server is different than the default headers, or is less than three headers, the Rational Focal Point administrator must execute the required SQL queries.

Procedure

  1. Configure the Web SSO solution.
    1. Configure at least one HTTP header to contain the user name of the authenticated user. This user name will be used to match with the login name of a Web SSO user in Rational Focal Point.
      Note: A maximum of three HTTP headers can be configured to contain the user name of the authenticated user. Default HTTP header names can be replaced by the names provided by the user.
    2. Include the headers in each HTTP request that is sent to Rational Focal Point.
  2. Configure Rational Focal Point.
    • If the headers that are sent by the Web SSO server is different than the default headers, run a query to map the default header name to the actual header name that is sent by the Web SSO server. For example, to configure Rational Focal Point to check for ACTUAL_HEADER_NAME instead of the default header HTTP_SM_AUTHENTICATE during Web SSO login, run the following SQL query once:

      insert into configurationproperties (name,value) values ('HTTP_SM_AUTHENTIC','ACTUAL_HEADER_NAME').

      The same query can be run to map the other two default headers. After the queries are run, Rational Focal Point verifies only the new headers.
    • If the headers that are sent by the Web SSO server is less than three headers, run a query to check only the header that is sent. For example, if the Web SSO server sends only the SSO_USER_HEADER header, map the default headers to SSO_USER_HEADER by running the following SQL queries once:
      • insert into configurationproperties (name,value) values ('HTTP_SM_AUTHENTIC','authentic_header_name')
      • insert into configurationproperties (name,value) values ('HTTP_SM_AUTHORIZED','authorized_header_name')
      • insert into configurationproperties (name,value) values ('HTTP_SM_USER','user_header_name')
  3. Click Advanced > SQL.
  4. At a command prompt, type update configurationproperties set value='true' where name='websso.enable'
  5. Restart the server.
  6. In Rational Focal Point, click Users > Manage Users. For the users who you want to authenticate by using Web SSO, set the Authentication attribute to Web Single Sign-On.

Enabling the display of the Web Single Sign-on error message when HTTP_SM_USER value is invalid

About this task

When the value of HTTP_SM_USER header is not a valid login name, you can display the Web Single Sign-on (Web SSO) error message instead of the Rational Focal Point login page.

Procedure

  1. In Rational Focal Point, click Advanced > SQL.
  2. To enable the WEB SSO error message, run the following query:

    update projectsetting set value='true' where name='show.websso.error'

    Note: By default, the value of show.websso.error is false.
  3. Optional: To append a customized message to the Web SSO error message, run the query: update projectsetting set value='or access the link [URL]http://sample_url.com[/URL]' where name='sso.nonexistentuser.errormessage'
    Note: Replace the sample message or access the link http://sample_url.com in the above example with the message that you want to append. To include a URL in the message, use the Rational Focal Point URL tags.
  4. Click Advanced > Caches, and clear the Settings cache.

Results

If the HTTP_SM_USER header value is invalid, the Web SSO error message is displayed instead of the login page.

Feedback