WIXLIB

Page 20 of 45FlashboardsWhen opening the SSO Administration Console, and clicking on the Dashboard Overview Dashboard, flashboards should render showing valuable information aboutauthentication requests.If the following error appears, then this means the flashboards will have to be importedmanually.Screenshot of Developer Studio Import.http://www.javasystemsolutions.com

Page 21 of 45Server groupsThe SSO Plugin holds the configuration in a form (J System Solutions Repository) withinAR System. Therefore, when using AR System server groups, the installation steps are asfollows:1. Ensure the 'Midtier application password' is the same on all AR System servers inthe group. This is because it's used to generate the password to the ssoadminaccount (created by the installer). To do this, open the ar.cfg file from the ARServer with the administrator thread, copy the Mid-Tier-Service-Password entry,and set that in the ar.cfg file for every other AR System server in the group.It is not enough to simply ensure all the passwords are the same in the AR Systemadministration console for each server.2. Run the installer against the AR Server with the administrator thread. This willimport an AR System definition file to store the configuration information, andthus the admin thread needs to be present.3. Make sure you follow the same steps as Copy files to your AR System on theremaining AR Servers in the server group4. For each of the additional AR System servers in the group, add the following linesto your ar.cfg or ar.conf file:Plugin-Path: C:\Program Files n: jss-sso.dllCrossref-Blank-Password: TExternal-Authentication-RPC-Socket: ties: 31Authentication-Chaining-Mode: 0Allow-Guest-Users: F5. Restart the AR System servers.Midtier application password and the ssoadmin accountThe installer application will generate an account in the User form called ssoadmin. Thisis used for the JSS AREA plugin to login to AR System and manage the configuration,create user authentication entries, etc. The password to this account is generated byfrom the Midtier application password. If you change the Midtier application password forthe AR System server then you can reset the ssoadmin password by running the installer,which will detect an existing installation and ask you if you wish to update the ssoadminpassword.Alternatively, you can visit the JSS website and use the utility in the support portal.If you're using server groups, see the server groups documentation above and ensureall servers are set with the same password by copying the entry from the updated ar.cfgto the other AR System server ar.cfg files.Load balancers and proxiesEnsure that the Midtier IP address you enter is the correct address if you're using a loadbalancer, proxy, etc. If you're unsure then ask your network administrators, and if indoubt, add all the relevant IP addresses!http://www.javasystemsolutions.com

Page 22 of 45Enable logging for verificationThe JSS AREA plugin can be verified via the AR Systems plugin log file. It is recommendedthis be enabled now to save time and effort later.Login via the BMC Remedy User Tool with a user with administrative permissions. Openthe AR System Administration Console and click on System and then General. Click on the Log Files tab. Check the Plug-in Server Check the Plug-in Log Level to ALL Click Apply and Save.http://www.javasystemsolutions.com

Page 23 of 45Configuring the MidtierThere's a video available to assist with installing the SSO Plugin and it can be found ying the files to the MidtierTo install the SSO Plugin on the Midtier, please follow these steps:1. Copy the contents of the mt directory into the root Midtier directory. i.e. thecontents of mt into the Midtier directory that contains the WEB-INF directory.2. Restart Midtier.If you are using IBM Websphere 7, use WAS to ensure the com.ibm.ws.jsp.jdkSourceLevelcustom property is set to 14 or 15 on the web extension file or the custom WebContainer.This tells Websphere that the application was compiled for Java 1.5 .3. Go to the Midtier configuration page and check the 'default authentication server'(on the 'general' page) is set to the AR System on which you installed the JSSAREA plugin.4. Go to the SSO Plugin status page by pointing your browser at http://path-tomidtier/arsys/jss-sso/index.jsp. You will be presented with a status page. Ifprompted in the left hand side navigation, enter the Midtier password and login.5. Review the Authentication Methods section below to learn how to configure therequired SSO implementation.6. Click on the Configuration and enter the appropriate details. Press setconfiguration. If the Midtier is configured correctly then you may be advised torestart it again. Please take note of any errors and/or warnings that aredisplayed.7. You can now test the SSO configuration by clicking on the Test SSO link in fromthe SSO Plugin status page. This will attempt to perform an SSO login to theauthentication server and report any errors. If the test is successful when you canclick on the Midtier Home link in the navigation and you should be taken directlyto the Midtier Homepage without being asked to login.8. If SSO fails then review the troubleshooting document or contact JSS support.We have identified a possible bug in the AR System which will sometimes prevent ourtest facility working. It will manifest itself in a message stating that the Shared Key or IPAddress is not correct. If this is the case, check this is still the case by visiting the MidtierHomepage. Please also review the information log in the SSO Administration Consolewithin AR System.LoggingThis enables the Midtier SSO logging which writes to the Tomcat stdout file. Werecommend you select Information for production use, debugging when configuring theSSO Plugin, and trace when you're trying to resolve an issue. Trace will generate a lot oflogging including low level Kerberos debugging, and is required by JSS to resolve issues.Matching the SSO username to an AR System User form entryFor SSO to work correctly, not only is an entry in the User form with a blank passwordrequired, but the case of the SSO username must match that of the entry in the Userform. For many people, this won't be the case, and the SSO Plugin provides a range offunctionality to resolve this problem.Most common configurationhttp://www.javasystemsolutions.com

Page 24 of 45While the following may seem complicated, the most common configuration is:1. Set Case sensitivity to match case insensitively.2. Set User domain to Strip domain, because users don't tend to store domainnames in the User form Login Name field.3. Set the When user has no valid User form entry control to Redirect to login page.Detailed overview of the username matching processThe following illustrates the process of deciding how to match an SSO user with the ARSystem User form and proceed to login:1. If User domain is set to Strip domain is set then a Windows domain name will bestripped from the SSO username.2. If Case sensitivity is set to convert to upper or lower then username is modified.3. If user aliasing is enabled, execute query against User form and if a user isreturned, login with that user. If no match then fail.4. If match case insensitively is selected then search for a user. If no match,continue.5. If User domain is set to Try matching either way, search for a user entry with orwithout the Windows domain name. If no match then fail.6. Test the User form to see if an entry exists with the Login Name set to theusername (or domain name and username if User Domain is set to “User anddomain”). If a valid SSO enabled entry exists then proceed to login, otherwise runthe action selected when a user has no valid User form entry.Alias username by User form queryThis allows you to run a query against the User form to return a Login Name using theusername (and optionally domain name) as part of the query.When writing the query, you can use the SSO USER and SSO DOMAIN place holders,which will be replaced by the SSO user and domain name (if applicable).If you want to pass the value returned from the Windows authentication system (i.e.user@domain or DOMAIN\user) to SSO USER , do not enable Remove domain part.For example:1. If the User form holds the SSO usernames in field 117 then you may wish to setthe alias query to '117' “ SSO USER ”. When this query is executed against theUser form, the SSO USER string is replaced with the username, and the valuefor the Login Name field is returned. This value is then used to connect to ARSystem.2. If you're using Windows authentication, NTLM returns usernames in the formatDOMAIN\user and Kerberos returns them in the format user@domain. If you havea policy of storing all SSO accounts in the format user@domain within field 117 onthe User form, then enable Remove domain part and use the following query:'117' “ SSO USER @ SSO DOMAIN”.Please note: If there is no User form entry returned through user aliasing, the SSOauthentication request is rejected. No user provisioning will take place.User aliasing and Open IDThe user aliasing feature is used for the configuration of Open ID. When using Open ID,the SSO DOMAIN place holder is used to hold the Open ID Provider, and SSO USER is used for the Open ID Identifier.Configuring Open ID is described in more detail in the Open ID section of the document.http://www.javasystemsolutions.com

Page 25 of 45Actions available when a user has no SSO accountThe standard BMC SSO specification has no provision for users who are not SSO enabledwithin the AR System – i.e. if they don't have a correctly configured entry in the Userform (no account, or an account with a password, etc.), the user is presented with anARERR623 page. We don't believe this is desirable, so in this scenario, a number ofactions can be performed.The SSO Plugin provides a range of options to deal with the scenario where an SSO userhas no valid entry in the User form. This forms an important part of integrating the SSOPlugin into a corporate environment where there are thousands of users, and manyleaving/joining on a daily basis.The configuration page contains a section marked “When SSO user has no valid Userform entry” and the options are described below.Redirect user to login pageUsers who do not have an SSO enabled account in the User form will be redirected to theMidtier login form. This is the most obvious improvement to the user experience andrequires no additional configuration.Redirect user to manual NTLM login pageThis alternative login page is available if SSO Plugin has been configured with Built-inauthentication that includes NTLM. It allows a user to enter their Windows login details,which are validated against the Active Directory before allowing the login.This functionality allows you to remove the BMC AREA LDAP plugin because, by doing so,you reduce the number of components to configure in AR System, and the SSO Pluginconfiguration is more comprehensive and easier than the BMC AREA LDAP plugin.Typically, users may choose this option if they do not need to provide the ability for usersto login to the Windows User Tool with their Windows credentials.Create account in User formWhen a user has no account in the User form, a new entry can be created from atemplate entry. When this option is selected, the name of an existing User form entrywill be required to be used as a template for new entries. The new entry will be createdby copying all fields from the template entry, replacing the login name with the SSO username from the request.If a user has an existing entry but it's not correctly configured then they will beredirected to the login page.Raise an incidentIf the user doesn't have an SSO enabled account, an incident will be raised and the userwill be redirected to a page with the incident number. To configure this, you will need toenter the summary, notes, urgency and select the company/person to be associated

SSO Plugin 3.1 for evaluation and we'll support 3.2 if required. The SSO Plugin will support many different URL protection products and methods. Popular products include: Authentication Systems Cleartrust SiteMinder Quest QSJ HTTP Basic Novell Access Manager OpenID The SSO Plugin also provides built-in authentication (Kerberos and NTLM) out of .