Configuring Single Sign On

From Opentaps Wiki
Jump to navigationJump to search


This article introduces a simple Single Sign-On (SSO) configuration for opentaps in a Windows network. In our solution, opentaps is deployed on Tomcat 5.5 behind Microsoft Internet Information Server (IIS) 6 on a Windows 2003 Server. IIS 6 is configured to use the Integrated Windows Authentication (IWA) mechanism to authenticate HTTP requests. When a Windows network user successfully authenticates with IIS, the network user ID is added to the requests by IIS, which can be used by opentaps to create the user login context required to access various opentaps resources.

This solution assumes that a corresponding user login exists in opentaps for each Windows network user who wishes to have access to opentaps application, and that the user is granted with appropriate opentaps security permissions. For details on how to configure opentaps users and permissions, refer to Wiki page at We will show you step-by-step on how to configure IIS 6 and opentaps to support SSO in the following sections.

Configuring IIS

This article assumes that you are reasonably familiar with the Microsoft Internet Information Services, and you have already installed IIS 6.

To connect IIS to the opentaps Tomcat server, we will leverage the Apache Tomcat Connector which can be downloaded at The Tomcat connector is an IIS ISAPI plug-in which allows IIS to send JSP and Servlets requests to opentaps. In this configuration example, all the Tomcat connector files are stored or created in <OPENTAPS_HOME>\jakarta.

1. Creating the worker file

The worker file is used by the Tomcat connector to locate the opentaps Tomcat server. The following example will create an IIS worker process called erpdev which connects to the opentaps Tomcat server on Port 8009 using AJP 1.3.

        worker.list = erpdev
        worker.erp.type = ajp13 = localhost
        worker.erp.port = 8009

2. Creating the URI worker mapping file

The following URI mappings allow IIS to send every HTTP request to the opentaps server except the default Home page and those with the opentaps_images context.


3. Creating the ISAPI redirect file

This configuration file tells the Tomcat connector where to find the worker file and the URI worker mapping file that we created in the above steps.

        # The Path to the ISAPI Redirector Extension, Relative to the website.
        # This must be in a virtual directory with execute privileges

        #Full Path to the Log File for the ISAPI Redirector

        #Log Level (debug, info, warn, error or trace)

        #Full Path to the File

        #Full Path to the File


4. Configuring ISAPI Redirector

In this step, we are going to configure IIS to use the ISAPI filter to redirect the opentaps requests.

        - Open the Internet Information Services Manager.
        - Expand the local computer entry, until you see the default Web site.
        - Right-click on the default Web site and select Virtual Directory from the New menu.
        - Select the Next button and enter the value jakarta in the Alias text box.
        - Browse to the directory containing the isapi_redirector.dll file, which in our case should be <OPENTAPS_HOME>/jakarta/ and select the Next button.
        - Make sure that you have the permissions set to read, run, and execute.
        - Now continue through the Virtual Directory Wizard, until you select the Finish button at the end.
        - Finally we need to add the ISAPI Redirector to the default Web site, so right-click on the default Web site and select Properties.
        - Select the ISAPI Filters tab and press the Add button.
        - Enter the filter name mod_jk and browse to select the isapi_redirector.dll file.
        - Now press the OK button until you are back at the Internet Information Services Manager main screen.

Configuring Opentaps

In this SSO solution, the default Web site is configured to use Integrated Windows Authentication, so that only the authenticated Windows users will be able to access the opentaps server. For the authenticated user requests, IIS will let them get through. It will also add the user ID to the requests before they are redirected to the opentaps server by the Tomcat connector. We must then turn off opentaps Tomcat server’s own authentication so that opentaps application will be able to retrieve the remote user ID from the HTTP requests and use it to populate the opentaps user login context. This can be achieved by setting the property value of tomcatAuthentication to false in the ajp-container section of framework/base/config/ofbiz-containers.xml as follows.

        <property name="ajp-connector" value="connector">
            <!-- see for reference -->
            <property name="allowTrace" value="false"/>
            <property name="emptySessionPath" value="false"/>
            <property name="enableLookups" value="false"/>
            <property name="maxPostSize" value="2097152"/>
            <property name="protocol" value="AJP/1.3"/>
            <property name="proxyName" value=""/>
            <property name="proxyPort" value=""/>
            <property name="redirectPort" value=""/>
            <property name="scheme" value="http"/>
            <property name="secure" value="false"/>
            <property name="URIEncoding" value="UTF-8"/>
            <property name="useBodyEncodingForURI" value="false"/>
            <property name="xpoweredBy" value="true"/>
            <!-- AJP/13 connector attributes -->
            <property name="address" value=""/>
            <property name="backlog" value="10"/>
            <property name="maxSpareThreads" value="50"/>
            <property name="maxThreads" value="200"/>
            <property name="minSpareThreads" value="4"/>
            <property name="port" value="8009"/>
            <property name="tcpNoDelay" value="true"/>
            <property name="soTimeout" value="60000"/>
            <property name="tomcatAuthentication" value="false"/>

Finally we need to set the property value of password.accept.encrypted.and.plain to true in framework\security\config\ This will allow the requests with a remote user ID to pass through the opentaps security system.