Enable Logging on to Your VLF ONE Applications via Kerberos Single Sign On

Enable Logging on to Your VLF-ONE Applications via Kerberos (Single Sign-On)

This option is only for VLF-ONE applications that are run off an IBM i webserver with LANSA Integrator installed and licenced on the same IBM i.

To enable logging on to your VLF-ONE applications via Kerberos (Single Sign-On) you need to do the following:

1.	Get Kerberos operational on your network.
2.	Enrol all the user profiles in EIM so that each Windows user maps to an appropriate IBM i user profile.
3.	Install the VL-Web Integration Services Library in your partition. (This is installable from the IDE if you have EPC142060 installed. On the Tools tab -> Package Manager -> Packages -> Integration Library.)
4.	Test that Kerberos is working by using a simple test page DF_T77T1O. Components DF_T77T1O, DF_T77DSO, and DF_T77WJO are shipped with the VLF. Ensure they are present and compiled on your IBM i. (Check them in and compile them if they are not.) Use IE11 or Edge as the browser. First configure the site as a local intranet site in internet options in the browser: Execute web page DF_T77T1O on the IBM i webserver in the same way as you would start UF_OEXEC. For example: http://host:port/DC@PGMLIB/DEM/df_t77t1o.html?lang=eng&developer=yes On the screen that comes up, modify the Kerberos Validator url so that it points to your lansa integrator installation. or example: http://host:port/Service/ssoservice.jsp?storetoken=true (the port is often 5563) Press the 'Request an IBM i Token for this user' button. Ensure that you receive a Token and the correct IBM i user profile that your Windows profile is mapped to in the Kerberos EIM. If successful: Press the 'Validate Token on the IBM i server' button. Ensure that the status is OK and the user profile is the IBM i user profile that your Windows profile is mapped to. Proceed ONLY IF the previous checks are successful.
5.	In the source for your Visual LANSA Framework entry point web page (i.e. your version of web page UF_OEXEC): a) Alter the LogonHandlerId() parameter to be LogonHandlerId(“External=Kerberos”), b) Specify the KerberosValidatorUrl parameter, typically with a value like http://host:port/service/ssoservice.jsp?storetoken=true Where: Host is name of the IBM i server that has integrator installed Port is the port for lansa integrator (often 5563) For example: * Start VLF-ONE for your Framework #VLF_ONE.uInitialize Frameworkidentifer("MY_FRAMEWORK") Logonexpiry(90) Logonheaderpanelid("MY_LOGON") Logontrailerpanelid("MY_LOG_1") Passwordchangerid("") Mtxtloaderid(UF_OMULTI) Themecustomizerid("") Logonhandlerid("External=Kerberos") Kerberosvalidatorurl("http://lansa01.syd.lansa.com.au:5563/service/ssoservice.jsp?storetoken=true")
6.	To allow your VLF-ONE Framework to use SSO during logon, modify your server-side logon validation IIP (your version of UF_OLOGON). See IIP - Component to Validate VLF-ONE User Sign On. Modify the CheckUserCredentials method to handle the external logon details. Refer to comments and example code about how you might approach doing this in the shipped demonstration IIP named UF_OLOGON. See methods CheckUserCredentials and CheckToken. In method routine CheckUserCredentials, note these lines: If (#Com_Owner.UsedExternalLogon) If ((#EXTERNALLOGON_TOKEN NE blanks) And (#EXTERNALLOGON_TOKEN NE '<<NONE>>')) * Kerberos/SSO logon - IBM i Only * The token will determine who the user is #Com_Owner.CheckToken Tokenuser(#UserProfiletoCheck) Returncode(#MajorReturnCode) #UserNametoDisplay := #UserProfiletoCheck #uSystemCommon.TraceEvent From(#COM_OWNER) Text('CheckUserCredentials validated Kerberos token:' + #EXTERNALLOGON_TOKEN + ' as ' + #MajorReturnCode + '. User was ' + #UserProfiletoCheck) Systemtrace(False) Also see method routine CheckToken and its use of example CL program UF_3GCHKTK. The source for UF_3GCHKTK is shipped in source file UF_3GSRC, in the partition library, on the IBM i. This is just one example of how this could be implemented. You should design your own version according to your own requirements.
7.	If your VLF-ONE application is a RAMP TS application, you may be able to use Kerberos (Single Sign-On) by adding sso=true on to the axes url. You will need axes 4.20, and patch Axes_420000_Patch_162388 if using the axes jsm server, and - Axes RAMP Patch - Axes_420000_Patch_162419_RAMP_standalone.zip and axes will need to be configured for SSO. See Single Sign-On Support in the aXes documentation for more details of how to configure axes for SSO. Your version of UF_OSYSTM needs to be modified to add &sso=true to the axes url by adding a routine similar to this: Mthroutine Name(avRAMP_StartSession) Options(*REDEFINE) #WithAxesURL += "&AXESURLSTART" #WithAxesURL += "&sso=true" #WithAxesURL += "&AXESURLEND" #Continue := True Endroutine Add the routine to your version of UF_OSYSTEM, check it in and compile it.
8.	Browser configuration IE11 and Edge need to have the site registered as a local intranet site (as previously mentioned) Firefox requires Whitelisting: If you need to whitelist two uris use a value like this: lansa01.syd.lansa.com.au,lansa01 Comma separated, no spaces. (If for example the VLF-ONE start url has a different uri than the uri used to access integrator or axes) Navigate to about:config - confirm warning, a) Search for NTLM, find (if it doesn't exist, create it): network.automatic-ntlm-auth-trusted-uris Enter in your servers/domains For multiple values, use comma separated, for example: server1,server2,domain1.com,domain2.com,*.domain3.com Wildcards are acceptable. b) Search for Negotiate network.negotiate-auth.delegation-uris enter in same list as #2 network.negotiate-auth.trusted-uris same list Chrome requires whitelisting using regedit: Start regedit (when signed on as the user that is going to use the SSO Framework) Under Computer\HKEY_CURRENT_USER\Software\Policies Add a key for Google (if it doesn’t exist already) Under the Google key add a key for Chrome (if it doesn’t exist already) Then create two new string values belonging to Computer\HKEY_CURRENT_USER\Software\Policies\Google\Chrome String value 1 HIVE: HKEY_CURRENT_USER Key Path: Software\Policies\Google\Chrome Value Name: AuthNegotiateDelegateWhitelist (don't check default) Value Type: REG_SZ Value Data: <insert the comma separated list you had for firefox> String value 2 Hive: HKEY_CURRENT_USER Key Path: Software\Policies\Google\Chrome Value Name: AuthServerWhitelist (dont check default) Value Type: REG_SZ Value Data: <insert same comma separated list you had for firefox> The entries should look like this when you have finished: