For the 3rd party application, these two lines had be added to the legasuite.ini file.
AutomaticSignOn=3
KerberosPrincipal=FQDN
Paul
From: Don Brown <DBrown@xxxxxxxxxx>
Sent: Monday, August 2, 2021 6:07 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx>; Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
Subject: RE: SSO from user application
Thanks Paul,
did you do the kerberos integration for the 3rd party GUI application ?
If you did is there anything you can share ?
Thanks
Don
From: "Steinmetz, Paul via MIDRANGE-L" <midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx>>
To: "midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx>" <midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx>>
Cc: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>
Date: 03/08/2021 12:51 AM
Subject: RE: SSO from user application
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx>>
________________________________
We use Kerberos for iACS 5250 sessions, Netserver mapped drives, ODBC data sources, and a 3rd party GUI application.
We have a new 3rd party HTTP app, which we were attempting to add SSO to. (many changes to this, HTTP config, browser changes, 3rd party app.)
The 3rd party vendor decided to go the SAML route for the SSO solution.
Their HTTP app will integrate with WSO2 for authentication.
We are in the process of setting that up.
Paul
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx>> On Behalf Of Vern Hamberg
Sent: Monday, August 2, 2021 10:20 AM
To: midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: SSO from user application
________________________________
CAUTION: This email originated from outside of the PENCOR network. Do not click on any links or open attachments unless the sender is known, and the content is verified as safe.
________________________________
I agree totally with Jim. I actually enabled an application for SSO when I worked for an ISV. There are several APIs, as you found, to help with this. There is also a slightly different kind of EIM relationship for applications. That application had its own user and password setup. The SSO stuff we built up even worked when using the web version of the app.
Your vendor needs to do the work, though.
Good luck!
Vern
On 8/2/2021 6:34 AM, Jim Oberholtzer wrote:
Don,
You are correct, the application would need to be updated to use the Kerberos Tokens. Those that have done this have tied it to the application menu system where the app already enforces authorization. In the case I’m thinking of the menu was in place already. (It was an older copy of BPCS that already had app authority built in). Lots of work in AD to build the individual menus for each users or groups.
Depending on the size and scope of the app, it’s a big job, or not that complicated. Less than 5 security points might be worth trying. More than that, well it’s a geometric curve in effort.
Jim Oberholtzer
Agile Technology Architects
On Aug 2, 2021, at 1:34 AM, Don Brown via MIDRANGE-L <midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx>> wrote:
We recently set up Single Sign On (SSO) as a Proof of concept (PoC)
This is working and iACS 5250 sessions are able to connect using SSO
Now I am asked how this could be applied to a third part application
which is not something I know much about.
The third party application is authenticating with the IBMi and I can
see the jobs in a user created sub-system with individual user profile names.
From my understanding of SSO when a user attempts to connect to a
system where source and target have been defined in SSO the
application for example iACS 5250 session will send a request to the
SSO source to obtain a token and then pass that token to the IBMi
which process the authentication/Logon.
So I am presuming there may be API's that can be used to do this, a
quick search revealed a lot of EIM related API's
So my question is more along the line of has anyone done this and is
there a roadmap of how to build the components to add SSO to a third
party application ?
Thank you for any feedback
Don
--
This email has been scanned for computer viruses. Although MSD has taken reasonable precautions to ensure no viruses are present in this email, MSD cannot accept responsibility for any loss or damage arising from the use of this email or attachments..
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx> for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our
affiliate link: https://amazon.midrange.com<https://amazon.midrange.com/>
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx> for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com<
https://amazon.midrange.com/>
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>
Before posting, please take a moment to review the archives
at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx> for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com<
https://amazon.midrange.com/>
As an Amazon Associate we earn from qualifying purchases.