Configuring Generic Single Sign-On using Waffle

This article describes the steps that have to be performed in order to set up the Generic Single Sign-On (SSO) using Waffle 1.5 to YSoft SafeQ 5 web interface. The configuration of SSO requires advanced knowledge of system configuration and working with the configuration files.

images/s/-3eliqb/8502/404359a7d2ab19c9c7c58d12013124a386b28257/_/images/icons/emoticons/lightbulb_on.svg NOTE: SSO is not supported on the ORS. Desktop SafeQ Client will work correctly with ORS even without SSO.

Prerequisites

  • YSoft SafeQ must be installed on the server which is part of the domain. SSO is asking system for the user authentication.

  • The browser used for accessing the YSoft SafeQ web interface needs to have cookies enabled.

Configuration

1

Start with a clean YSoft SafeQ 5 with replicated users from Active Directory. Make sure the YSoft SafeQ is installed on the server that is member of a domain.

2

Log in to the YSoft SafeQ Web Interface with sufficient rights to administer system settings (for example "admin"). Go to System > System settings and change the following configuration:

  • set ssoAuthenticationType property to Generic Single Sign-On (SSO).

  • set sso_cutDomainFromLogin to enabled.

3

Download Waffle 1.5 from http://code.dblock.org/downloads/waffle/Waffle.1.5.zip

4

Unzip Waffle.1.5.zip and copy the following files from the extracted folder Waffle\Bin to <SafeQ>\tomcat\lib:

images/s/-3eliqb/8502/404359a7d2ab19c9c7c58d12013124a386b28257/_/images/icons/emoticons/warning.svg WARN: Copying other files than specified may lead to malfunction.

    • guava-13.0.1.jar

    • jna-3.5.0.jar

    • platform-3.5.0.jar

    • slf4j-api-1.7.2.jar

    • waffle-jna.jar

    • waffle-tomcat7.jar

5

Edit <SafeQ>\tomcat\conf\context.xml and insert the following two lines before the last line </Context>:

<Valve className="waffle.apache.NegotiateAuthenticator" />
<Realm className="waffle.apache.WindowsRealm" />

6

(Optional step) Edit <SafeQ>\tomcat\conf\logging.properties with an editor that supports Unix end-of-line markers (e.g. WordPad, but not NotePad) and add the following line at the very end:

waffle.apache.NegotiateAuthenticator.level = FINE

7

(Optional step) Edit <SafeQ>\tomcat\conf\server.xml to allow users that are members of a lot of groups to pass all their groups in header (default is 8192):

maxHttpHeaderSize="65536"

8

Edit <SafeQ>\tomcat\conf\web.xml and insert one of the following texts before the last line </web-app>:

images/s/-3eliqb/8502/404359a7d2ab19c9c7c58d12013124a386b28257/_/images/icons/emoticons/warning.svg WARN: When the language of the hosting server is different from English, text <role-name>BUILTIN\Users</role-name> has to be replaced by the equivalent suitable for your localization. For example the German operating system equivalent is <role-name>VORDEFINIERT\Benutzer</role-name>. The correct name can be found using command whoami /Groups in the command line.

images/s/-3eliqb/8502/404359a7d2ab19c9c7c58d12013124a386b28257/_/images/icons/emoticons/lightbulb_on.svg NOTE: The order of constraints is important.

A. if you only want to enable SSO but you do not require automatic redirection to HTTPS, insert the following text:

<security-role>
<role-name>BUILTIN\Users</role-name>
</security-role>
<!-- Do not apply Single Sign On constraint on ClientApplication - required for desktop client -->
<security-constraint>
<web-resource-collection>
<!-- Desktop Client -->
<url-pattern>/img/*</url-pattern>
<url-pattern>/web/client/*</url-pattern>
<url-pattern>/servlet/web.client.CheckJobDeliveryServlet</url-pattern>
<url-pattern>/servlet/web.client.ClientBillingCodesServlet</url-pattern>
<url-pattern>/servlet/web.client.ClientHttpServlet</url-pattern>
<url-pattern>/servlet/web.client.ClientJobSaveServlet</url-pattern>
<url-pattern>/servlet/web.client.ClientLoginServlet</url-pattern>
<url-pattern>/servlet/web.client.ClientRecentBillingCodesServlet</url-pattern>
<url-pattern>/servlet/web.client.PriceEstimateServlet</url-pattern>
<url-pattern>/servlet/web.client.PrinterListServlet</url-pattern>
<url-pattern>/servlet/web.client.SharedQueueServlet</url-pattern>
<url-pattern>/servlet/web.client.TestSession</url-pattern>
<url-pattern>/servlet/web.client.VIPQueueServlet</url-pattern>
<!-- Mobile Print Server -->
<url-pattern>/servlet/web.mobile.MobileConfigurationServlet</url-pattern>
<url-pattern>/servlet/web.mobile.MobileLicenseServlet</url-pattern>
<!-- Job history API - parameter jobLogApiUserLogin -->
<url-pattern>/servlet/com.ysoft.safeq.api.AddJobLogServlet</url-pattern>
<!-- SafeQ CML cluster installation -->
<url-pattern>/servlet/LoginServlet</url-pattern>
<url-pattern>/servlet/web.DatabaseCheckDumpServlet</url-pattern>
<url-pattern>/servlet/web.DatabaseDownloadServlet</url-pattern>
<url-pattern>/servlet/web.DatabaseDumpServlet</url-pattern>
</web-resource-collection>
</security-constraint>
 
<!-- Apply SSO on the rest of web -->
<security-constraint>
<web-resource-collection>
<web-resource-name>YSoft SafeQ</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>BUILTIN\Users</role-name>
</auth-constraint>
</security-constraint>

B. if you want to enable SSO and at the same time you wish to have all the HTTP requests automatically redirected to HTTPS, insert the following text:

images/s/-3eliqb/8502/404359a7d2ab19c9c7c58d12013124a386b28257/_/images/icons/emoticons/lightbulb_on.svg NOTE: It is recommended to set up a trusted SSL certificate when the automatic redirection to HTTPS is enabled.

<security-role>
<role-name>BUILTIN\Users</role-name>
</security-role>
<!-- Do not apply Single Sign On constraint on ClientApplication - required for desktop client -->
<security-constraint>
<web-resource-collection>
<!-- Desktop Client -->
<url-pattern>/img/*</url-pattern>
<url-pattern>/web/client/*</url-pattern>
<url-pattern>/servlet/web.client.CheckJobDeliveryServlet</url-pattern>
<url-pattern>/servlet/web.client.ClientBillingCodesServlet</url-pattern>
<url-pattern>/servlet/web.client.ClientHttpServlet</url-pattern>
<url-pattern>/servlet/web.client.ClientJobSaveServlet</url-pattern>
<url-pattern>/servlet/web.client.ClientLoginServlet</url-pattern>
<url-pattern>/servlet/web.client.ClientRecentBillingCodesServlet</url-pattern>
<url-pattern>/servlet/web.client.PriceEstimateServlet</url-pattern>
<url-pattern>/servlet/web.client.PrinterListServlet</url-pattern>
<url-pattern>/servlet/web.client.SharedQueueServlet</url-pattern>
<url-pattern>/servlet/web.client.TestSession</url-pattern>
<url-pattern>/servlet/web.client.VIPQueueServlet</url-pattern>
<!-- Mobile Print Server -->
<url-pattern>/servlet/web.mobile.MobileConfigurationServlet</url-pattern>
<url-pattern>/servlet/web.mobile.MobileLicenseServlet</url-pattern>
<!-- Job history API - parameter jobLogApiUserLogin -->
<url-pattern>/servlet/com.ysoft.safeq.api.AddJobLogServlet</url-pattern>
<!-- SafeQ CML cluster installation -->
<url-pattern>/servlet/LoginServlet</url-pattern>
<url-pattern>/servlet/web.DatabaseCheckDumpServlet</url-pattern>
<url-pattern>/servlet/web.DatabaseDownloadServlet</url-pattern>
<url-pattern>/servlet/web.DatabaseDumpServlet</url-pattern>
</web-resource-collection>
</security-constraint>
<!-- Apply SSO on the rest of web -->
<security-constraint>
<web-resource-collection>
<web-resource-name>YSoft SafeQ</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>BUILTIN\Users</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

9

Restart the service YSoft SafeQ CML and then YSoft SafeQ Web Interface.

10

Now open the web interface from a workstation that is a member of the domain, while you're logged in as a domain user (whose user account is replicated in YSoft SafeQ). You shouldn't be asked for credentials.

Web browser configuration

Internet Explorer

Ensure that Integrated Windows Authentication is enabled.

  1. Choose the Tools, Internet Options menu.

  2. Click the Advanced tab.

  3. Scroll down to Security

  4. Check Enable Integrated Windows Authentication.

  5. Restart the browser.

The target website must be in the Intranet Zone.

  1. Navigate to the website.

  2. Choose the Tools, Internet Options menu.

  3. Click the Local Intranet icon.

  4. Click the Sites button.

  5. Check Autmatically detect intranet network.

  6. For localhost, click Advanced.

  7. Add http://safeq_server_hostname to the list.


Chrome

Same as Internet Explorer.


Firefox

  1. Type about:config in the address bar and hit enter.

  2. Type network.negotiate-auth.trusted-uris in the Filter box.

  3. Put your server name as the value. If you have more than one server, you can enter them all as a comma separated list.

  4. Close the tab.