Requirements for and limitations of single sign-on requests in TRIRIGA Application Platform

In an SSO environment, the user name and password that the user enters must match the user name and password that are stored in the directory server. The application server or web server then authenticates the user and inserts the user name into the HTTP request header.

The user name in the HTTP request header must exactly match the user name that is stored in the IBM TRIRIGA database. When configured properly, IBM TRIRIGA reads the user name from the request header and internally authenticates it against the IBM TRIRIGA database.

IBM TRIRIGA supports the following methods of inserting the user name into an HTTP header:

• Remote User - The web server or application server authenticates the user and puts the user name in the REMOTE_USER HTTP header. The Java™ call is request.getRemoteUser().
• User Principal - The web server or application server authenticates the user and puts the user name in the special UserPrincipal HTTP header. The Java call is request.getUserPrincipal().getName().
• HTTP Header - The web server or application server authenticates the user and puts the user name in a specific named HTTP header attribute.

In addition to the insertion methods, IBM TRIRIGA supports several options for the user name after it is retrieved from the HTTP header:

• Removal of Domain Name - In some SSO environments, the LDAP Domain Name is provided along with the user name, however, only the username portion is configured in the IBM TRIRIGA database. If the full string in the HTTP header is provided in the form of MyCompany\username, enabling this feature strips MyCompany\ or the domain portion from username.
• Case Sensitivity - Some directory servers supply the user name in a mixed case, depending on a number of conditions. By default, IBM TRIRIGA user names are case-sensitive. If it is determined that the directory server is providing user names with mixed cases, you can disable the case-sensitive check in the SSO process.

Considerations:

• If you are using a web server to provide the authentication portion, disable the HTTP port on the application server after the web server configuration completes. Keeping the application server's HTTP port open might create a vulnerability point. If the HTTP port is not disabled and the user goes to that port, the user is prompted for their credentials and the user name and password are verified in the IBM TRIRIGA database.
• IBM® TRIRIGA® is compatible with SSO when SSO is configured properly. After the appropriate IBM TRIRIGA properties are enabled for SSO, IBM TRIRIGA can accept tokens that are provided by properly configured application servers with SSO. IBM Support can assist with configuring IBM TRIRIGA properties for SSO. However, due to the number of supported products, technologies, and configurations that are supported by IBM TRIRIGA, IBM Support cannot help with the configuration of SSO within your environment.

Limitations:

• IBM TRIRIGA does not support Security Assertion Markup Language (SAML) or credential-less login mechanisms such as SmartCard or Common Access Card (CAC) as a method of authentication for its non-browser clients. Non-browser clients include the following clients:
  • IBM TRIRIGA CAD Integrator/Publisher
  • IBM TRIRIGA Connector for BIM
  • IBM TRIRIGA reservation add-in for Microsoft Outlook

  SSO solutions must provide a mechanism for basic authentication for non-browser clients. SAML and SmartCard or CAC do not support basic authentication for non-browser based clients.

  The best practice if you are using SAML or SmartCard/CAC is to authenticate directly to IBM TRIRIGA on a separate process server or integration server as opposed to the SSO enabled application server. This solution requires users to use their IBM TRIRIGA user name and password to sign in.

  An alternative best practice is to set up a separate non-SAML SSO solution for non-browser client users, which can support basic or NTLM authentication. This solution requires SmartCard/CAC users to use their SmartCard/CAC user name and password to sign in.