Administering : Authentication in Focal Point : Authenticating by using Web Single Sign-On : Enabling Web Single Sign-On
  
Enabling Web Single Sign-On
You can enable Web Single Sign-On (Web SSO) by running SQL commands in the SQL interface. You must be a global administrator to enable Web SSO.
Before you begin
Identify a Web SSO server for authentication.
Configure the network so that Focal Point can be accessed by using the Web SSO server (HTTP proxy).
Ensure that for all users in Focal Point whose authentication is set to Web Single Sign-On, the Web SSO user names that are sent in the HTTP headers by the Web SSO server, is identical to the login names in Focal Point.
Make sure that you know how Web SSO affects Focal Point. For more information, see Effects of enabling Web Single Sign-On.
Note When a user is authenticated, Web SSO adds HTTP headers to each user request.
About this task
Focal Point can check a maximum of three HTTP headers that are sent by the Web SSO server. Focal Point checks these headers by default:
 
Header
Description
HTTP_SM_AUTHENTIC
Checked for existence. The headers must contain a valid value but the value is not checked.
HTTP_SM_AUTHORIZED
Checked for existence. The headers must contain a valid value but the value is not checked.
HTTP_SM_USER
Checked for the user name and matched with the login names of Web SSO users.
If the headers that are sent by the Web SSO server is different than the default headers, or is less than three headers, the Focal Point administrator must execute the required SQL queries.
Procedure
1 Configure the Web SSO solution
Configure at least one HTTP header to contain the user name of the authenticated user. The user name must be the same as the login name of a Web SSO user in Focal Point.
A maximum of three HTTP headers can be configured to contain the user name of the authenticated user. Default HTTP header names can be replaced by the names provided by the user.
After the headers are configured, the Web SSO solution includes these headers in the HTTP requests.
2 Configure Focal Point.
If the headers that are sent by the Web SSO server are different from the default headers, run a query to map the default header name to the actual header name that is sent by the Web SSO server. For example, to configure Focal Point to check for a header USER_ID instead of the default header HTTP_SM_AUTHENTIC during Web SSO login, the administrator must run this SQL query:
insert into configurationproperties (name,value) values ('HTTP_SM_AUTHENTIC','USER_ID')
The same query can be run to map the other two default headers. After the queries are run, Focal Point verifies only the new headers.
If Web SSO server sends less than three headers, run a query to check only the header that is sent. For example, if the Web SSO server sends only the SSO_USER_HEADER header, map the default headers to SSO_USER_HEADER by running the following SQL queries:
insert into configurationproperties (name,value) values ('HTTP_SM_AUTHENTIC','SSO_USER_HEADER')
insert into configurationproperties (name,value) values ('HTTP_SM_AUTHORIZED','SSO_USER_HEADER')
insert into configurationproperties (name,value) values ('HTTP_SM_USER','SSO_USER_HEADER')
3 Click the Settings icon Settings icon and then, from the Advanced group, click SQL.
4 At the command prompt, type:
update configurationproperties set value='true' where name='websso.enable'
5 Restart the server.
6 In Focal Point, select Administration from the User menu. Click Users and then click Administer Users. For the users who you want to authenticate by using Web SSO, set the Authentication attribute to Web Single Sign-On.
Go up to
Authenticating by using Web Single Sign-On