Beruflich Dokumente
Kultur Dokumente
Integrating BMC Remedy Action Request System with Single Sign-On (SSO) Authentication Systems and Other Client-Side Login Intercept Technologies
Copyright 19912006 BMC Software, Inc. All rights reserved. BMC, the BMC logo, all other BMC product or service names, BMC Software, the BMC Software logos, and all other BMC Software product or service names, are registered trademarks or trademarks of BMC Software, Inc. All other trademarks belong to their respective companies. BMC Software, Inc., considers information included in this documentation to be proprietary and confidential. Your use of this information is subject to the terms and conditions of the applicable end user license agreement or nondisclosure agreement for the product and the proprietary and restricted rights notices included in this documentation. For license information about the OpenSource files used in the licensed program, please read
OpenSourceLicenses.pdf. This file is in the \Doc folder of the distribution CD-ROM and in the
documentation download portion of the product download page. Restricted Rights Legend
U.S. Government Restricted Rights to Computer Software. UNPUBLISHED -- RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES. Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR Section 52.227-14, DFARS 252.227-7013, DFARS 252.227-7014, DFARS 252.227-7015, and DFARS 252.227-7025, as amended from time to time. Contractor/Manufacturer is BMC Software, Inc., 2101 CityWest Blvd., Houston, TX 77042-2827, USA. Any contract notices should be sent to this address.
Contacting Us If you need technical support for this product, contact Customer Support by email at support@remedy.com. If you have comments or suggestions about this documentation, contact Information Development by email at doc_feedback@bmc.com. This edition applies to version 7.0 of the licensed program.
White Paper
White Paper
Introduction
Many forces in the marketplace today are leading companies to rethink how they control access to applications within their environment. The traditional prompt for user name and password is not meeting the needs of these customers. One key example is the mixed application environment. When users are accessing a series of related applications, how do they move from application to application without having to re-enter their user information for each application? How can they seamlessly flow between applications in a secure and safe way? Single sign-on technologies allow for this type of interaction. Another example is improved security. Some customers are looking at a more secure method for connecting. This might be using the secure card technology or a biometric validation methodology. The goal is to require additional data that is more personal and more difficult to duplicate. In these cases and others, the key is to change the way that applications gather credentials but to still allow access to the system with the same capabilities and security as if the application had been started in the traditional way. The focus of this white paper is to discuss the mechanisms within the BMC Remedy Action Request System (AR System) environment for addressing these types of requirements. The discussion starts with an overview of the approach and philosophy of how to solve the problem. It continues with details of the work required in clients to implement this capability and the work required on the server to complete the implementation and ensure security within the environment. Everything discussed in this paper is available with AR System 7.0. The concepts apply to 7.0 and later releases of the system. Details of parameters and calls might change slightly between releases, so verify the interfaces with the version of the system you are using. Some portions of this implementation are available in earlier versions of the system (for example, Web client and AR System server plug-in support is available in 6.3), but for full support for all aspects, you must be using version 7.0.
from the technology you are integrating with. A user name must be obtained, and other information is usually obtained to verify the user. For more information, see: Web client (6.3 and later) on page 6 Windows client (7.0 and later) on page 10 Custom API program on page 14
2 On the server, given the set of credentials and using the technology you are
integrating with, validate that the user is a valid user. (This is a critical step in the process.) For more information, see ServerAREA (6.0 and later) on page 14.
3 Configure the server options so that the server will pass the credentials to
your authentication check and allow the code to perform the authentication. For more information, see Server configuration (various releases for different options) on page 16. You might be using several authentication methodologies at the same time. You can use an SSO environment within the office but have users enter their user name and password if they are working from home. This strategy allows you to mix multiple methods and let the authentication automatically validate against each of them. This approach allows you to integrate with any technology or environment for authentication. It completes the journey begun with the introduction of the AREA feature of the AR System server for external authentication in version 6.0. You can now link to technologies on the client to provide a complete, end-to-end implementation of using an external environment or technology for authentication within the system.
Overall philosophy and architecture 5
White Paper
The following sections discuss what is needed within each piece of the product.
Authenticator
The plug-in to the mid tier consists of three routines: init, destroy, and getAuthenticatedCredentials. You must implement these routines in Java and then register them for your code to be called. Remember to copy the Java file to the appropriate location according to your definition so that it can be found.
The getAuthenticatedCredentials() method throws IOException to simplify the support of the methods of the HttpServetRequest and HttpServletResponse classes. In the default configuration of the mid tier, an instance of the com.remedy.arsys.session.DefaultAuthenticator class will perform the login and authentication.
init()
The authenticator should use the init() routine to perform initializations. The routine is called one time at startup of the mid tier. After the mid tier instantiates an instance of the authenticator by using reflection, it builds an object of type java.util.Properties using the properties specified in the file that the arsystem.authenticator.config.file entry indicates in the config.properties file. This file is a map of the name-value order pairs. For example:
arsystem.authenticator.config.file=myauthenticator.properties
In a normal deployment, the myauthenticator.properties property file, (used in the example) must be in the same directory as the config.properties file (for example, in WEB-INF/classes). If no entry for the authenticator init file exists in the config.properties file or if the mid tier cannot locate or open the file referenced in the arsystem.authenticator.config.file entry, the mid tier creates an empty properties object. This object is then passed into the init() method.
White Paper
If any of the parameters that can be externalized are needed during the authenticator initialization process, they should be placed in a separate file. The file name must be registered in the config.properties file under the arsystem.authenticator.config.file entry.
destroy()
When the mid tier is being unloaded from the application server, it calls the destroy() method of the authenticator. Any cleanup of resource usage should be done here.
getAuthenticatedCredentials()
The getAuthenticatedCredentials() method is the main method of the plug-in. This method is called for each user who connects to the system. The implementation of this method is divided into two cases (depending on the SSO environment configuration): When the mid tier is deployed behind a proxyThe mid tier is deployed in an SSO environment where each request that reaches the mid tier is guaranteed to have been authenticated. The getAuthenticatedCredentials() method is called only when the mid tier must retrieve the user credentials to establish a session for the user. Here, the method must return the UserCredentials object. The objects value is used to establish a session for the user, and then it is wrapped and passed, as is, to the AR System server when the mid tier constructs a request on behalf of the user. If the returned UserCredentials object is in an invalid format (for example, missing the user name), the mid tier will default to the DefaultAuthenticator, the normal login mechanism of the mid tier. In summary, if the mid tier is deployed behind a proxy, guaranteeing that any request reaching the mid tier has been authenticated, then the getAuthenticatedCredentials() method will extract the user credentials that are specific to the protocol of the SSO environment from the request, construct a UserCredentials object, and return that object as the return value.
When the mid tier is not deployed behind a proxyThe mid tier is deployed so that it must route unauthenticated requests to a configured SSO service. It has the additional responsibility of routing the pre-session establishment requests to the SSO service. This is achieved by synchronizing the mid tier with the configured authenticator. The mid tier will invoke the getAuthenticatedCredentials() method only when it needs to establish a session for the user. In the context of pre-session establishment, when the user request arrives, the mid tier calls the getAuthenticatedCredentials() method, passing both the HttpServletRequest and HttpServletResponse objects. At this point, the authenticator examines the HttpServletRequest object to see whether the SSO token is embedded inside the HttpServletRequest. (The embedding protocol is specific to the SSO environment.) If the token is embedded, the method extracts the information, constructs a UserCredentials object, and returns this object as the return value. If the token is not embedded, the method embeds the routing information to the SSO service in the HttpServletResponse object and returns null. When the mid tier receives null, it routes the HttpServletResponse object to the Servlet container so that the user request is redirected to the SSO service. After the SSO service has authenticated the user, it embeds the SSO token in the HttpServletRequest object, reconstructs the original request, and routes it back to the mid tier. At this point, the behavior is the same as described in the first case.
White Paper
This is the default authenticator that displays the login screen. It will be used if you do not have an alternate authenticator defined. Only one registration is permitted for the instantiation of the mid tier, so only a single alternate authenticator mechanism is allowed for an instance of the mid tier.
BMC Remedy User and BMC Remedy Alert include a hook that allows you to specify a DLL that will be called instead of the login page at startup. This DLL can do whatever work you wantinteract with other systems, open windows, perform calculations, and so on. This DLL returns the users login information, which would have come from the login page. If the DLL is not present or if there is a problem getting the information, see Fallbacks and the default login page on page 10. At startup, the login page is launched (unless the user preference has been set to remember login information). Whenever the login page is launched at startup, BMC Remedy User and BMC Remedy Alert will look for the ARSSOInfo.dll DLL with two methods exposed: ARGetSSOLoginCredentials and ARGetSSOServerInformation. (The second method is optional).
Important: The ARSSOInfo.dll DLL must be placed in the same directories from which BMC Remedy User and BMC Remedy Alert are launched; otherwise, the DLL will not be found.
ARGetSSOLoginCredentials
The following method provides credentials for the user.
void ARGetSSOLoginCrendentials( ARSSOUserCredentialsStruct *pUserCredentialStruct)
The method should load data into the structure for return to the AR System. This call must be implemented in the DLL. The goal of this method is to return a user name and additional information such as a password or a key for the user. This password or key should be dynamic and tied into the authentication method you will use on the server to validate this user.
Note: BMC Remedy User allocates all memory for the structure. The fields are initialized before the method is called. The DLL is responsible for updating the appropriate fields in the structure. The DLL must not allocate memory for this structure (but it can allocate and free any temporary storage it might need for processing), and the DLL must not write data outside the length limits of the fields.
11
White Paper
Following is an example:
struct ARSSOUserCredentialsStruct { char* m_szARUserName; char* m_szARPassword; char* m_szARAuthenticationString; BOOL m_bARUsingPreferenceServer; int m_nARNumberOfServers; };
The maximum length is 254 bytes. The string must be null terminated. A value must be specified for this field. There is no default value. bytes. The string must be null terminated. The default is an empty string.
m_szARPasswordThe password for the user. The maximum length is 30 m_szARAuthenticationStringThe authentication string for the user.
The maximum length is 2000 bytes (254 bytes for versions of 7.0 before patch 2 of BMC Remedy User because an incorrect length was used initially). The string must be null terminated. The default is an empty string.
m_bARUsingPreferenceServerA flag indicating whether the login will be using a preference server. If set to TRUE, a preference server is expected and the m_nARNumberOfServers field must have a value of 1 or greater. If set to FALSE, there is no preference server. The default is FALSE. m_nARNumberOfServersThe number of servers that will be specified by the plug-in for this user. If this parameter is set to 0, no additional servers are expected. If set to a number greater than 0, the ARGetSSOServerInformation method will be called to get the list of servers. If the m_bARUsingPrefereceServer flag is set to TRUE, the value of this parameter must be at least 1 to accommodate the preference server. The default is 0.
ARGetSSOServerInformation (optional)
The following method is optional:
void ARGetSSOServerInformation( ARSSOServerInformation *pServerInfo)
If the user wants to provide only login credentials and does not want to provide server list information, this method is not needed. If the method is not present, the system will use the default mechanism of looking at the local configuration file to determine which servers to connect to. If the server count field from the ARGetSSOLoginCredentials specifies a count of the number of servers of greater than 0, this method is required. Treat the parameter as an array of items with each item having the structure described. The size of the array is determined by the server count returned in the ARGetSSOLoginCredentials method. The server identified in the first element of the list is treated as the preference server if the login credentials have indicated a preference server is being used.
Note: BMC Remedy User allocates all memory for the structure. The fields are initialized before the method is called. The DLL is responsible for updating the appropriate fields in the structure. The DLL must not allocate memory for this structure (but it can allocate and free any temporary storage it might need for processing), and the DLL must not write data outside the length limits of the fields.
Following is an example:
struct ARSSOServerInformation { char* m_szARServerName; int m_nARTCPNum; int m_nARRPCNum; };
The maximum length is 254 bytes. The string must be null terminated. A value must be specified for this field. There is no default value.
m_nARTCPNumThe TCP socket to which you will connect on this server. Setting the value to 0 indicates that there is no predefined TCP socket to
connect to (or you will look it up using portmapper). The default value is 0.
m_nARRPCNumThe RPC socket to which you will connect on the AR System server. Setting the value to 0 indicates you are not locking to a
specific RPC socket and will let the system determine which socket to route to. The default value is 0.
13
White Paper
Other clients of the AR System server must be investigated to determine if you can integrate with the same alternate login techniques of the clients provided with the system.
15
White Paper
A key characteristic of AREA is that the plug-in is used for authentication, but it can also optionally supply authorization information. A plug-in can return information like the user's email address, a group list, and a license type (although it cannot return a Fixed license). If the plug-in does not supply this information, it can be obtained from the user record within the AR System. If the authorization information is in neither place, the email address is the login name, the user is in no groups, and the user is defined to have a read license. This is also further documented in the discussion of the AREA environment in the BMC Remedy Action Request System 7.0 Integrating with Plug-ins and Third Party Products guide.
This option should be used when you want to define characteristics of the user (such as email address, licensing, group information) in AR System but have authentication occur outside. So, you can have authorization within the AR System User form but authentication outside.
17
White Paper
The Authentication-Chaining-Mode setting in the ar.cfg (ar.conf) file allows you to configure the behavior of the system. The values supported are defined in the following table.
Behavior Setting
0 Use the default behavior as in pre-6.3 release (that is, authenticate either with AR System or with AREA depending on the settings of other configuration options).
Use AR System internal authentication first, then use external 1 authentication via the AREA plug-in. Use external authentication via the AREA plug-in first, then use AR System internal authentication.
2
Separate from this setting is the idea of having multiple AREA plug-ins to authenticate against many different external sources. In all cases of the chaining in the table, authentication via the AREA plug-in includes situations with one plug-in and those having multiple plug-ins. For those situations having multiple AREA plug-ins, the system can be set up to use the AREA plug-in hub. The AREA plug-in hub provides a sequential chaining of multiple AREA plug-ins. From the AR System perspective, there is one AREA plug-inthe AREA hub. That hub then traverses the various plug-ins registered with it until it gets a successful authentication or runs out of plug-ins to try. The use and configuration of the AREA plug-in hub is documented in the BMC Remedy Action Request System 7.0 Integrating with Plug-ins and Third Party Products guide.
Maximum number of bad password attempts before invalidating the account (7.0 and later)
The option that sets a maximum number of bad password attempts is related to authentication within the AR System server environment only. Any rules or checking for bad password attempts through other environments are enforced strictly through that environment.
Any AREA plug-in that interacts with an external environment will count any failed validation against that environment as a bad authentication attempt. This is even though there might be a successful validation against another plug-in in the chain. The net effect can be a problem. If logins are allowed using numerous mechanisms, you should attempt the most common or the ones with no lockout early in the list so you do not lock out an account through checks against one environment when the user is logging in using a different environment. The AR System option to limit the number of bad password attempts has a bad attempt recorded only if the login fails all of the tests. This means that when you want to include AR System authentication in the authentication chain, configure the chaining to try the AR System authentication first. This is because a failure there will not count against you if some other authentication works, and, if AR System authentication succeeds, you prevent the bad attempts against other authentication mechanisms.
Code samples
You can use the following sample code to help you create AREA plug-ins for Windows or the Web.
Code samples
19
White Paper
// This dll just needs to assign values. // eg: strcpy(pUserCredentialStruct->m_szARUserName,"Demo"); pUserCredentialStruct->m_nARNumberOfServers=2; } }//End 'extern "C" extern "C" { __declspec(dllexport) void ARGetSSOServerInformation(ARSSOServerInformation *pServerInfo) { // The required memory for struct ARSSOServerInformation is allocated by user tool, // This dll just needs to assign values. // eg: strcpy(pServerInfo[0].m_szARServerName, "ServerName1"); pServerInfo->m_nARTCPNum = 3040; pServerInfo->m_nARRPCNum = 390622; strcpy(pServerInfo[1].m_szARServerName, "ServerName2"); } }//End 'extern "C"
Code samples
21
White Paper