× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2021

RE: SSO from user application

We use Kerberos for iACS 5250 sessions, Netserver mapped drives, ODBC data sources, and a 3rd party GUI application.
We have a new 3rd party HTTP app, which we were attempting to add SSO to. (many changes to this, HTTP config, browser changes, 3rd party app.)

The 3rd party vendor decided to go the SAML route for the SSO solution.
Their HTTP app will integrate with WSO2 for authentication.
We are in the process of setting that up.

Paul

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Vern Hamberg
Sent: Monday, August 2, 2021 10:20 AM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Re: SSO from user application

________________________________
CAUTION: This email originated from outside of the PENCOR network. Do not click on any links or open attachments unless the sender is known, and the content is verified as safe.
________________________________

I agree totally with Jim. I actually enabled an application for SSO when I worked for an ISV. There are several APIs, as you found, to help with this. There is also a slightly different kind of EIM relationship for applications. That application had its own user and password setup. The SSO stuff we built up even worked when using the web version of the app.

Your vendor needs to do the work, though.

Good luck!
Vern

On 8/2/2021 6:34 AM, Jim Oberholtzer wrote:
Don,

You are correct, the application would need to be updated to use the Kerberos Tokens. Those that have done this have tied it to the application menu system where the app already enforces authorization. In the case I’m thinking of the menu was in place already. (It was an older copy of BPCS that already had app authority built in). Lots of work in AD to build the individual menus for each users or groups.

Depending on the size and scope of the app, it’s a big job, or not that complicated. Less than 5 security points might be worth trying. More than that, well it’s a geometric curve in effort.

Jim Oberholtzer
Agile Technology Architects



On Aug 2, 2021, at 1:34 AM, Don Brown via MIDRANGE-L <midrange-l@xxxxxxxxxxxxxxxxxx> wrote:

We recently set up Single Sign On (SSO) as a Proof of concept (PoC)

This is working and iACS 5250 sessions are able to connect using SSO

Now I am asked how this could be applied to a third part application
which is not something I know much about.

The third party application is authenticating with the IBMi and I can
see the jobs in a user created sub-system with individual user profile names.

From my understanding of SSO when a user attempts to connect to a
system where source and target have been defined in SSO the
application for example iACS 5250 session will send a request to the
SSO source to obtain a token and then pass that token to the IBMi
which process the authentication/Logon.

So I am presuming there may be API's that can be used to do this, a
quick search revealed a lot of EIM related API's

So my question is more along the line of has anyone done this and is
there a roadmap of how to build the components to add SSO to a third
party application ?

Thank you for any feedback

Don




--
This email has been scanned for computer viruses. Although MSD has taken reasonable precautions to ensure no viruses are present in this email, MSD cannot accept responsibility for any loss or damage arising from the use of this email or attachments..
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our
affiliate link: https://amazon.midrange.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: https://amazon.midrange.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.