Archive:Single sign-on
| This document is deprecated. The current documentation about this in Openbravo 3 can be found here. |
Contents |
Introduction
As defined in wikipedia: Single sign-on (SSO) is a method of access control that enables a user to authenticate once and gain access to the resources of multiple software systems. Openbravo ERP as a resource in an corporate environment where may exist other tools sharing this environment, a single sign-on access method for all that tools will allow to the users to authenticate only once and do not have to authenticate every time users want to access any other different tool.
There is a tool called Lightweight Authentication Module (LAM). LAM is a software module that provides a single sign-on mechanism for web based software products that is developed by the Open Solutions Alliance, an initiative of a group of leading companies dedicated to making enterprise-class open software solutions work together that Openbravo is a member. There are several web based products, included Openbravo ERP, that uses this method to provide a single sign-on. This way you can deploy two or more of these applications and a user will be able to login once and gain access to all the applications. The applications that already use LAM for single sign-on are:
Openbravo ERP has its own authentication method and to enable Single sign on in Openbravo ERP. You are able to configure to use the authentication method you need in your environment. This way the default authentication method provided with Openbravo ERP becomes another authentication method more, isolated from other elements of the application.
How authentication works in Openbravo ERP
When a user wants to gain access to an Openbravo ERP resource. Openbravo ERP asks to the authentication manager the application User Id of the user that request access to the Openbravo ERP resource. If the user has not been authenticated before the authentication provider has the responsibility of authenticating this user.
For example, the default authentication manager provided by Openbravo asks to the user his/her application user name and his/her password. Once the application user name and the password has been validated successfully it returns to Openbravo ERP the User Id of the authenticated user, then Openbravo ERP loads the privileges of the authenticated user and gives access to the resource that the user requested. in other case, it returns to Openbravo ERP that the user has not authenticated and Openbravo ERP denies access to the resource requested.
How to configure the authentication manager in Openbravo ERP
The authentication manager used in Openbravo ERP is defined in the configuration file ERP/2.40/Openbravo.properties. In the property authentication.class you have to write the class name of the authentication provider that Openbravo will use for this purpose.
Openbravo includes three AuthenticationManager implementations:
Default Authentication Manager
This is the default authentication manager provided by Openbravo. It is the classic authentication method that uses the Openbravo current login page to authenticate users.
After installing Openbravo ERP you do not need to configure anything if you want to use this authentication manager that is the classic method Openbravo authenticates application users.
LAM Authentication Manager
This is the authentication manager created to support Single Sign-on in Openbravo. In order to use it you first have to install a LAM server. Download LAM and follow the installation instructions included in the package.
To configure this authentication manager in Openbravo ERP edit the ERP/2.40/Openbravo.properties file and add the property authentication.class with the value org.openbravo.authentication.lam.LamAuthenticationManager, compile the Openbravo ERP application from the command line ant compile -Dtab=xx and deploy it again.
In the tomcat server where is deployed Openbravo ERP the lam.binding.hostname session variable has to be set with the location of the LAM Server. In a Gentoo box it is done modifying the CATALINA_OPTS variable in /etc/conf.d/tomcat-5.5 file:
CATALINA_OPTS="-Dlam.binding.hostname=@yourhostname@:8080"
Then the application users will only have to authenticate once and will gain access to all the aplications configured to use the same LAM server.
Required libraries
Openbravo built with with LAM authentication manager support requires three libraries.
- lam-client.jar
- xmlrpc-client-3.0.jar
- xmlrpc-common-3.0.jar
This libraries must be deployed to the context in order to make it work.
Autologon Authentication Manager
This is an authentication manager for demonstration purposes. It allows to every user that access Openbravo ERP to gain access to the application using the Openbravo user name configured for autologon without having to write neither the user name nor the password.
To configure this authentication manager in Openbravo ERP edit the ERP/2.40/Openbravo.properties file and add the property authentication.class with the value org.openbravo.authentication.basic.AutologonAuthenticationManager, add the property authentication.autologon.username with the value of the user name you want to use to login when any user access the application, compile the Openbravo ERP application from the command line ant compile -Dtab=xx and deploy it again.
Develop your own Authentication Manager
You can also develop your own Authentication manager. To do this you only have to create a new java class that implements the interface org.openbravo.authentication.AuthenticationManager. This interface has the following methods:
public void init(HttpServlet s) throws AuthenticationException;
public String authenticate(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, ServletException, IOException;
public void logout(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException;
The method init is called after the class is instantiated. Is used to read the configuration parameters of the authentication manager if needed.
The method authenticate is called when a user request access to an Openbravo ERP resource. It must return the User Id of the authenticated user or null if the user has not been authenticated. If the authentication manager requires to interact with the user, for example to ask for an user name and a password, then this method should redirect to the authentication manager web pages that ask to the user the user name and the password, and return null. After the user has been authenticated, the authentication manager must redirect to the Openbravo ERP resource requested previously by the user.
The method logout is called when the user requests to close the current session.
To configure Openbravo ERP to use your new created authentication manager you have to compile your java class that implements AuthenticationManager with all the needed java classes and libraries and made it accessible for the Openbravo ERP web application and add in the ERP/2.40/Openbravo.properties file and add the property authentication.class with the value of your java class name that implements the interface AuthenticationManager.
Configuration examples
In the CAS_and_LAM_configuration_with_Openbravo's_users document you can view how to configure a CAS (Central Authentication Service) to authenticate using users defined in Openbravo ERP and how to configure a LAM server to authenticate using the CAS.