Adobe LiveCycle (Archived)

aoatak · 2/13/08

Hi,

How can auto login to Workspace ES can be achieved?

Thanks.

Jasmin_Charbonn · 2/13/08

You can integrate LiveCycle with HTTP Header based authentication. Once it's configured properly (form the Administrative console), you'll be able to login to Workspace without entering user name ans password (if the http header contains the unique identifier for the user name).

Jasmin

aoatak · 2/14/08

As I understand I should set HTTP Header based authentication and identify the user credential in a configuration file.

Can you tell, how can I configure HTTP Header based authentication from Administrative Console? And also where is the user credential should be defined?

Thanks.

Jasmin_Charbonn · 2/14/08

Go under Settings > User Management > Configuration > Portal Configuration

Then select Enable portal Single Sign-On (SSO): Yes

SSO type: HTTP Header

*Http header for unique identifier: This is going to be the name of the HTTP header that will contain the unique identifier for the user.

The unique identifier needs to match the "Unique Identifier" LDAP attribute when you setup your LDAP under Domain Management. That's how it's going to be able to recognize the user.

For example, let's say I have a HTTP header called UID which has a value of jcharbon.

HTTP header for domain: This is the name of another HTTP header that will contain a hard coded value that will use to map to a specific domain. The value can be anything.

For example , let's say I have a HTTP header called DomainID which has the value of default.

Domain mapping: This is going to map the hard coded value received from the HTTP header for domain to a valid LDAP domain ID. Go under Settings > User Management > Domain Management to get the ID from your LDAP domain

For example you can have the following: default=MyLDAPDomain

Which tell all HTTP headers that have the value "default", to go and get the users from the LDAP domain with id MyLDAPDomain.

You don't have to store anything locally. You just need to pass the name of the user ID as part of the http header to get in.

Jasmin

_samita_ · 3/13/08

I am trying to test setting up a SSO. I have defined a ldap domain and set up the sso settings under portal configuration. I am trying to test the sso using http header modifier that simply adds the required headers. But it does not seem to be working. Does livecycle write any logs that I can use to find out why it is not working ?

HowardTreisman · 4/3/08

We have a single-signon solution for Workspace.

You can read more about it here:

http://www.avoka.com/avoka/single_signon.shtml

Howard

kc · 6/30/08

Hi there

I can't seem to setup the configuration correctly, can you please help me a little?

- How do I know which HTTP header for the unique ID I have?

- How do I know which HTTP header for the domain I have?

- How do I know how to setup the domain mpping?

I am using LC 8.0 with SP2 on WIndows 2003 Server. (Turnkey with JBOSS/MySQL)

Sincerely

Kim

chetanm_oct · 7/2/08

It depends on your environment. Typically Header based SSO would work with third party security solutions like SiteMinder

They have there own UI where you can configure what attribute of a user are to be mapped to which header. The attributes are obtained from the directory server.

-How do I know which HTTP header for the unique ID I have

In your domain configuration page in AdminUI you would have specified the attribute name to be used for user's uniqueId. Say if you use SunOne directory server it would be nsuniqueId. So in SiteMinder console you would configure it to map the user's nsuniqueid to any HTTP header say uniqueid.

Then set this header name in adminui as detailed by Jasmin above

- This is required if you also have the domain information. This is an optional attribute then user would be searched in all domains. This would be required to configure if you have multiple user having same userid but in different domains

kc · 7/2/08

Hi again,

Thanks for the explanation, however I just realized that what I need is Kerberos authentication with Windows and the LDAP. Can I do this in LC 8.0 and what about LC 8.2 and how?).

Sincerely

Kim

Jasmin_Charbonn · 7/3/08

The next release of LiveCycle (Update 1) will support SPNEGO which allows you to use the Microsoft kerberos token to authenticate against web applications.

This will only work in a Microsoft environment (MS Active Directory, MS domain controller, MS kerberos).

Jasmin

Report · 7/13/08

Samita,

Try these settings:

In FireFox using the Modify Headers plugin, add and enable these 2 headers:

Header 1:

Name = Domain

Value = DefaultDom

Header 2:

Name = UserID

Value = kvarsen

# where username is some known user name. In LDAP it would be DN. If you installed the samples with Livecycle, the kvarsen user id will work.

In LiveCycle's Portal Configuration page set these settings:

SSO type: HTTP Header

Http header for unique identifier: HTTP header for domain: Domain mapping: UserID

HTTP header for domain: Domain

Domain mapping: Domain=DefaultDom

With all this set you'll be able to go the the URL without UID and password prompt:

http://[servername]/workspace

There's more to a deployed configuration, but this should help for start.

Thanks,

Todd.

kc · 9/2/08

Hi again Jasmin,

Can you help me setup the Kerberos single sign on, it does not seem to work as I expected.

Sincerely

Kim

Report · 11/19/08

Hi Jasmin,

If we do not have Active Directory, is there a way to bypass the login screen using cookies? I would need to obviously write some sort of login servlet to handle this, correct? Has this been done before?

Jasmin_Charbonn · 11/19/08

If you don't use AD, you can leverage SSO using HTTP Headers.

As you said, you would need to build some servlets to set those up.

I use the Modify Headers Firefox plug-in to test my SSO. This plugin allows you to set the HTTP headers of your browser.

At least you know if you've configured the HTTP Headers properly from adminui.

Jasmin

Report · 1/9/09

Hello.

Can you please guide me how to write a servlet that will add http header to a request and forward it to Workspace?

I have written an servlet which uses Requestdispatcher and include or forward method to route request to Workspace context, and while Network monitor shows that some data is routed to Workspace, the Workspace GUI does not show in my browser when I call this servlet I've written directly.

Thanks!

Report · 1/12/09

So programming servlet i made:

public class CustReq extends HttpServletRequestWrapper{

public CustReq(HttpServletRequest request) {

super(request);

}

@Override

public String getHeader(String name) {

if ("UserID".equalsIgnoreCase(name)) {

return "myuser";

}

return super.getHeader(name);

}

}

And then used in a Filter method:

public void doFilter(ServletRequest arg0, ServletResponse arg1,

FilterChain arg2) throws IOException, ServletException {

CustReq wrapp = new CustReq((HttpServletRequest)arg0);

arg2.doFilter(wrapp, arg1);

}

And finally bound filter to RedirectorServlet which has following code in doGet():

ServletContext context =

getServletContext().getContext("/Workspace_cust/Main.html");

RequestDispatcher rd = context.getRequestDispatcher("/Main.html");

rd.include(req, res);

Then I integrated this classes to Workspace_cust.ear, modifying web.xml and adding .class files.

Now when I navigate with my browser to ../Workspace_cust/RedirectorServlet I get redirected to Main.html as I should be, but there is still login screen! I tested SSO using FF modify headers plugin and also by making servlet like this in doGet:

PrintWriter out = res.getWriter();

out.println("Userid header is " +req.getHeader("UserID"));

And I get the Correct values!

So please help me how do I set/add http headers in Java Servlet.

Thank you in advance

HowardTreisman · 2/20/09

Hi Andrej

I'm not trying to dissuade you from trying, but we've done this, and it was seriously difficult. If you'd like to consider re-using what we've built rather than building it yourself, please see:

http://www.avoka.com/avoka/single_signon.shtml

or send an email to info@avoka.com

Otherwise, good luck! :-)

Howard

Gary_Gilchrist · 2/21/09

In LiveCycle ES Update 1 we support the SPNEGO protocol used by Windows to authenticate desktop users to our Web Applications (Workspace, Admin console etc). This works in a Windows Domain using Active Directory.

Also LiveCycle can be configured to rely on SSO products that initially set a user token identifier in HTTP Headers.

Our documentation provides some background info:

http://www.adobe.com/go/learn_lc_administration_82

If you can use one of these approaches, then a nice benefit is that forms opened in Workspace will propagate the same SSO user when they call a LiveCycle Web Service.

Adobe LiveCycle (Archived)

Workspace AutoLogin

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe