SSO

A Single Sign On (SSO) solution removes authentication from the applicative code, and offers a globally secure software environment for users to provide their credentials once to access multiple applications.

Single Sign On by using Federation Services or Integrated Windows Authentication can be activated by these Enterprise Server sessions:

  • SSO Parameters (ttams0100m000) session
  • User Data (ttaad2500m000) session

After running the session Convert changes to runtime DD (ttams2200m000) in $BSE/lib/user this new file is shown:

$BSE/lib/user/sso/s<SSO_USER>

For more specific information, see the online help of these Enterprise Server sessions.

Other files on disk for SSO are:

  • $BSE/lib/sso_config
    • UNIX
      • $BSE/security/sso_permissions.xml
      • $BSE/security/ssl.properties
    • Windows
      • $GLOBAL/security/sso_permissions.xml
      • $GLOBAL/security/ssl.properties
  • sso_config file
    This file is configured through the SSO parameters session (ttams0100m000)

    This file contains these SSO configuration parameters:

    • generic_user: <Windows only - the name of the generic OS user name, used to start the Bshell>
    • gu_passwd: <Windows only - the crypted password for the generic OS user>
  • sso_permissions.xml file

    This file describes which SSO user can impersonate a specific OS user. Protection is required if end-users try to change the configuration in the User Data in such a way that they can start a Bshell as, for example, OS user root.

    This file is maintained manually.

    A sample sso_permissions file will be placed in one of these directories:

    • $BSE/security (on UNIX)
    • $GLOBAL\security (on Windows)
  • ssl.properties file

    This file is maintained manually.

    The property file ssl.properties contains the pathname and password of the keystore file used for the SSL communication with Web UI and LN UI.

    An example of the ssl.properties file: 

    keystore: c:\Infor\ERPLN\commonx64\security\nlbaltoolsdev.p12
password: changeit

    A default keystore filename is: 

    c:\Infor\ERPLN\commonx64\security\keystore.p12.

    This default is used when the keystore line is omitted from the ssl.properties file. An alternative location for the ssl.properties file when starting blogind can be specified by this parameter: 

    -ssl <filename>