× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2021

RE: SSO from user application

Thanks Paul,

did you do the kerberos integration for the 3rd party GUI application ?

If you did is there anything you can share ?

Thanks

Don






From: "Steinmetz, Paul via MIDRANGE-L" <midrange-l@xxxxxxxxxxxxxxxxxx>
To: "midrange-l@xxxxxxxxxxxxxxxxxx" <midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
Date: 03/08/2021 12:51 AM
Subject: RE: SSO from user application
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx>



We use Kerberos for iACS 5250 sessions, Netserver mapped drives, ODBC data
sources, and a 3rd party GUI application.
We have a new 3rd party HTTP app, which we were attempting to add SSO to.
(many changes to this, HTTP config, browser changes, 3rd party app.)

The 3rd party vendor decided to go the SAML route for the SSO solution.
Their HTTP app will integrate with WSO2 for authentication.
We are in the process of setting that up.

Paul

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Vern
Hamberg
Sent: Monday, August 2, 2021 10:20 AM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Re: SSO from user application

________________________________
CAUTION: This email originated from outside of the PENCOR network. Do not
click on any links or open attachments unless the sender is known, and the
content is verified as safe.
________________________________

I agree totally with Jim. I actually enabled an application for SSO when I
worked for an ISV. There are several APIs, as you found, to help with
this. There is also a slightly different kind of EIM relationship for
applications. That application had its own user and password setup. The
SSO stuff we built up even worked when using the web version of the app.

Your vendor needs to do the work, though.

Good luck!
Vern

On 8/2/2021 6:34 AM, Jim Oberholtzer wrote:
Don,

You are correct, the application would need to be updated to use the
Kerberos Tokens. Those that have done this have tied it to the
application menu system where the app already enforces authorization. In
the case I’m thinking of the menu was in place already. (It was an older
copy of BPCS that already had app authority built in). Lots of work in
AD to build the individual menus for each users or groups.

Depending on the size and scope of the app, it’s a big job, or not that
complicated. Less than 5 security points might be worth trying. More
than that, well it’s a geometric curve in effort.

Jim Oberholtzer
Agile Technology Architects



On Aug 2, 2021, at 1:34 AM, Don Brown via MIDRANGE-L
<midrange-l@xxxxxxxxxxxxxxxxxx> wrote:

We recently set up Single Sign On (SSO) as a Proof of concept (PoC)

This is working and iACS 5250 sessions are able to connect using SSO

Now I am asked how this could be applied to a third part application
which is not something I know much about.

The third party application is authenticating with the IBMi and I can
see the jobs in a user created sub-system with individual user profile
names.

From my understanding of SSO when a user attempts to connect to a
system where source and target have been defined in SSO the
application for example iACS 5250 session will send a request to the
SSO source to obtain a token and then pass that token to the IBMi
which process the authentication/Logon.

So I am presuming there may be API's that can be used to do this, a
quick search revealed a lot of EIM related API's

So my question is more along the line of has anyone done this and is
there a roadmap of how to build the components to add SSO to a third
party application ?

Thank you for any feedback

Don




--
This email has been scanned for computer viruses. Although MSD has
taken reasonable precautions to ensure no viruses are present in this
email, MSD cannot accept responsibility for any loss or damage arising
from the use of this email or attachments..
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.

Help support midrange.com by shopping at amazon.com with our
affiliate link: https://amazon.midrange.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.