SSO on LSF9

Sort:
You are not authorized to post a reply.
Author
Messages
Joe O'Toole
Veteran Member
Posts: 314
Veteran Member

    We have been on LSF9 for a while now and are looking into moving our users from LID to Portal. We are a Windows shop and have LSF9 bound to AD. All of our employees including our Lawson application users use ESS/MSS as well. Some access ESS from workstations logged into Windows with generic account and some access ESS from their individual windows accounts. We also expire user Windows account passwords on a regular basis. Based on this, is it possible and or realisitc to try to configure Lawson to use true SSO so application users logged into the windows domain with their personal accounts do not need to re-enter their credentials for Lawson?

    Jimmy Chiu
    Veteran Member
    Posts: 641
    Veteran Member
      It's possible to do that but not recommended by lawson because LATM will need to be turned off. You can check article 84326 from lawson support for detail steps.
      Roger French
      Veteran Member
      Posts: 545
      Veteran Member

        That article is for 8.0.3 platforms BTW. And it doesn't really mention "Single Sign On" within the article.

        Joe:
        If you're asking is it possible for users to log on to the Windows domain, is there some way then to set up Lawson so they *won't* have to *manually* log on to Lawson portal- hmmmm... Do you really want that? You can I guees somehow store/cache user ID/PW in log in screens within I.E. so that once your logged into the domain, and then you point to your Lawson portal within your browser, it will automatically log you in.

        I know that it's possible to set up a scenario, so that once you're logged into Portal, you can open up new Portal sessions (under that same ID) without having to log in again. This is in I.E. 6.x. Try it in I.E. and select File>>New>>Window (after your inititially logged into Lawson Portal) and see for yourself.

        I think within the context of *Lawson* Single Sign On for LSF 9, it means that you log on to *Lawson Portal* once (the single), after initially logging into the Windows domain, e.g. Your desktop, it will then authenticate to all Lawson services that user is attached to (such as ESS, RSS, LBI, etc.) so you won't have to log in individually again to each one of them until you are logged out, or timed out.

        As far as password expiration on a regular basis on your Windows domain, if you are set up with a LDAP bind, then the expiration (and also the new reset password) will flow down to Lawson authentication also.

        -Roger

        Joe O'Toole
        Veteran Member
        Posts: 314
        Veteran Member
          Thanks for clarifying. I remember hearing about the limited implementation of SSO by Lawson a few years ago when LSF9 was first announced, but it sounds like there is still no delivered method of configuring Lawson to do this. It's a topic that came up here to make things easier for our users, but I share your concerns about allowing users to go directly into the application from Windows without supplying their credentials and caching is not something we would want to undertake.
          - Joe
          PaulJ
          Basic Member
          Posts: 9
          Basic Member
            I have a somewhat similar question: We have a .net application that we want to link to from the Lawson portal. Is there a way to pass the Lawson authentication credentials to our .net application so the user will not have to log in again? I checked out the Lawson IOS Application Program Interfaces documentation, specifically chapter 6, but that seems more related to authenticating an external app with Lawson to perform a task against the Lawson interface (where by the .net app is actually passing the credentials to Lawson, not vice versa as I need).

            How would I go about creating such a link? a web service of some sort? pardon my inexperience. any help is much appreciated. thanks.

            Alex Tsekhansky
            Veteran Member
            Posts: 92
            Veteran Member
              Paul - it is possible to do so, but will require a bit of coding.
              From Lawson point of view on a "low level" you're logged into Portal if your browser session to Lawson's web server has two (or three - depending on the version) cookies that have values corresponding to session numbers WebSphere knows about.
              So, the basic idea if developing something like that would be:

              1. You will make a custom login page that checked whether you're already logged in (by verifying whether you have the cookies and whether lawson servlets respond with some info when you try to so /sso/SSOServlet with the cookies)
              2. If you're not logged in, you would need to develop and CGI or a servlet to which you pass your current Windows session information and which can independently verify that you're indeed logged into Windows. That servlet will also create a new session in lawson for you on its own.
              3. The servlet should return the cookies it got from lawson to your browser, which should put them into the current session

              At that point you would be logged in into Portal. The 1 and 3 are very trivial to do. You should bind to custom LDAP server to do the second part of #2 the easy way. The first part of 2 (independently verifying whether you're logged into Windows is not as simple. It greatly depends on your domain/workgroup organization. Essentially the task is to give to the other machine an ability to verify that you're correctly logged into Windows from your PC. There are quite a few ways you can use, but they will depend on the organization of your Windows infrastructure.
              PaulJ
              Basic Member
              Posts: 9
              Basic Member
                Alex, thanks for the quick response. I'm glad you say #1 and #3 are trivial to do. Unfortunately, I'm lacking the knowledge on how to do both. Obviously, I can't ask you to give me the code that'll do it, I'd imagine I'd have to pay you for that , but maybe you could enlighten me on more specific information and/or psuedo/example code as to how to accomplish the tasks?

                I guess my issue is how do I "communicate" with the Lawson SSOServlet via asp.net/vb.net code as far as "verifying whether I have the cookies and whether lawson servlets respond with some info when I try to so /sso/SSOServlet with the cookies)" ?  I'd also would want to be able to pull back a few values from Lawson as well like User  full name, user network name, etc.

                As for #2, I probably won't do, and instead just make the user re-login though the asp.net form authentication login (verifies against LDAP) instead of trying to auto pass credentials from the windows session. especially since this external web app will only be linked to from within the lawson portal.

                Thanks again. Any help/advice is greatly appreciated.
                Alex Tsekhansky
                Veteran Member
                Posts: 92
                Veteran Member
                  Sure.

                  For #1 you should have a custom HTML page that will have javascript or vbscript that will be run on a browser. That code should check for the presence of cookies JSESSION and C.LWSN in 900 and also for another cookie (I think called SSO) in 901. If you run FIDDLER2 on /sso/SSOServlet, you can capture the whole session and get the right names of the cookies.
                  Once you get them, the same javascript/vbscript code should make an internal call to /sso/SSOServlet and see if you get a redirect. If you do, that means your cookies are wrong. If you do not, you code is 200 and you get the right message in the HTML body, that means you're logged in. After that you can redirect to standard index in /lawson/portal, and you will be logged in.

                  For #3 - suppose you get a servlet/CGI that can determine whether you're logged in correctly. Then it can return cookies (which are really string values in a header) back to the calling agent. Just transfer the value of those cookies back to your current session from the agent and you're logged in.

                  If you need to get additional values, just call /cgi-lawson/userenv.exe, /cgi-lawson/printenv.exe, /servlet/Profile and /servlet/SysEnv from your agent or servlet (depending where you need those. See the result, even in a browser. It's easy to parse, as in most cases it's one value per line.

                  The details greatly depend on the language chosen to do this. We have done implementation of it in PHP, java/javascript and PERL to name a few.
                  PaulJ
                  Basic Member
                  Posts: 9
                  Basic Member
                    thanks for the information. unfortunately, i'm not getting very far. i'm having trouble taking what you suggest to do and implementing as vb.net code.

                    to test for a cookie, i'm trying:

                    If Not Request.Cookies("C.LWSN") Is Nothing ...

                    but it is never finding the cookie.

                    When logging into Lawson while runing Fiddler, I see the following cookies get set in the reponse header:

                    Set-Cookie: C.LWSN=7W14SVu1yNABCiPZS1ADmMHhUDetcKoIkz0kD0ONeP!2BRr172VQqESw!3D!3D; Path=/

                    Set-Cookie: JSESSIONID=0000Mp6k9b94tuH57qKNZtqfOZN:-1; Path=/

                    and in the Request Header, it shows a cookie "SSO.TKM"

                    in the same broswer, but a different window i an running my vb.net code locally in debug mode and testing for the existance of the C.LWSN cookie, but it's not finding it.

                    I have also tried creating an http web request like:
                    (vb.net code)

                    LoginReq =  WebRequest.Create("http://lawsonserver:80/sso/SSOServlet")
                    LoginReq.Method = "GET"
                     LoginReq.UserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)"

                    LoginResp = LoginReq.GetResponse


                    but once i do, what exactly do i test the http web response for? You said to test for a redirect, but how would I test the response for a redirect?

                    And/or What am I doing wrong? could it not be detecting the cookie somehow since I'm running locally in debug mode?

                    Thanks, and again sorry for my not understanding how to accomplish this task.
                    adam
                    Posts: 3
                      Paul, Did you ever make any progress on this. I'm running into the same issue. Basically, I want to authenticate into Lawson behind the scenes (right now I'm hard coding a user/pass), and navigate into Lawson bypassing the login screen. I too have run some of the suggested code I've found, and was able to get and store the 2 cookies you mentioned above. However, I'm not sure what to do next. I've added the cookies to a .NET cookie container as well as "Response.Cookies.Add(theCookie)", and when I try to go to Lawson (in the same tab or another tab) I still get the Login screen. Any ideas?
                      Thanks.

                      -adam
                      PaulJ
                      Basic Member
                      Posts: 9
                      Basic Member
                        @adam,

                        no, never got any farther on it, as we decided not to go that route for the time being. However, now they're circling back and atleast wanting to kind of do the reverse.

                        I'm not trying to check in a .net application to see if the user is already logged into lawson. however, no matter what I do, it still reads that I'm NOT logged in, even when I am definitely logged into Lawson in a different tab in the same browser window. Not sure what to do at this point. Anyone out there that could help?


                         Dim lawsonURL As String = "http://lawson.mydomain.com/sso/SSOServlet?_action=PING&_ssoUpdateSession=TRUE"
                        
                                If Not IsPostBack Then
                                    Dim strLawsonSessionStatus As String = "false"
                                    Dim strLawsonUserName As String = ""
                                    Dim wc As New WebClient
                                    'Dim xmlText As String = wc.DownloadString(lawsonURL)
                                   Dim boolLoggedIn as boolean = false
                                    Dim webRequest As HttpWebRequest
                              
                        
                                    webRequest.UserAgent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
                                    webRequest.ContentType = "text/xml"
                                    webRequest.Method = "GET"
                                    webRequest.CookieContainer = cookies
                        
                                    Dim webResponse As WebResponse = webRequest.GetResponse
                                    Dim webStream As Stream = webResponse.GetResponseStream
                                    'Load stream
                                    Dim xmlDoc As New XmlDocument
                                    xmlDoc.Load(webStream)
                        
                                    'select any level nodes using xpath
                                    Dim Nodes As XmlNodeList = xmlDoc.SelectNodes("//SSO")
                        
                                    'iterate in selected nodes
                                    For Each node As XmlNode In Nodes
                                        If node.Name = "SSO" Then
                                            For Each childNode As XmlNode In node.ChildNodes
                                                If childNode.Name = "SESSIONSTATUS" Then
                                                    strLawsonSessionStatus = childNode.InnerText
                                                End If
                                                If strLawsonSessionStatus = "true" Then
                                                    boolLoggedIn = true
                                                    If childNode.Name = "USERNAME" Then
                                                        strLawsonUserName = childNode.InnerText
                                                    End If
                                                End If
                        
                                            Next
                                        End If
                        
                                        If strLawsonUserName <> "" Then
                                            litXML.Text = strLawsonUserName
                                        End If 
                        PaulJ
                        Basic Member
                        Posts: 9
                        Basic Member
                          anyone have any suggestions?
                          You are not authorized to post a reply.