· Jan 23, 2019

Single Sign On (SSO)

Does Intersystems specifically Ensemble support a Single Sign On architecture? Currently we are using Delegated sign on using LDAP and TLS, however our CIO would like us to move toward a single sign on, so when you sign into your PC it would automatically pass the credentials to Ensemble.



Discussion (3)1
Log in or sign up to continue

Ensemble supports several SSO options, but they generally require you to have an existing framework to use. For example, OpenAM and Kerberos are supported SSO options, but in both cases you would need the frameworks and central servers for them already in place.

You might want to start by figuring out which framework(s) your other applications use already, and then seeing if you can add Ensemble to those, rather than looking at what Ensemble supports and picking based on that.

SSO, can be achieved in some different ways. It can work over OAuth2, NTLM, Kerberos, SAML and so on. In different projects, I have used Kerberos/NTLM and OAuth2. But real SSO was only with Kerberos. And when you already have LDAP Auth in your application, it will be quite easy to add SSO. But also depends on which OS and which WEB server you have. On Windows much easier to start with IIS while so difficult to find a working module for Apache. On Linux there is also could be a problem to find the latest version of the module which will work with the latest version of apache. But when you will manage to get it worked on web-server side, on Caché side, almost nothing to do left. When you get first unauthorized request, you should return back with status 401, and say which method of authentication you need through header WWW-Authenticate: NTLM. Then if web server managed to get username, it will send it by header REMOTE_USER. Of course, you will not get password, you just use this username and authorize session. 

Is there a good documentation for setup IIS with Web-Gateway and Kerberos? 
I want to achieve SSO for Caché. Integrated authentication works for IIS, Kerberos works between Web-Gateway and SuperServer but when opening the management portal in Edge I always get the Caché logon-screen which I thought should not be shown if SSO worked.
I think this is an issue with the IIS configuration but spent hours to find out...