Service Manager 9.21 and Single sign-on (4057 Views)
Reply
Respected Contributor
Kelalek
Posts: 255
Registered: ‎07-30-2009
Message 1 of 11 (4,057 Views)
Accepted Solution

Service Manager 9.21 and Single sign-on

Hey,

just few questions regarding this:

1) Is SSL necessary to implement a single sign-on feature?
2) We've combination of MS Server 2008 R2 which runs Apache (as a web tier). Is IIS "must" to have a SSO feature or are Windows workstation and Apache able to do the user recognizion alone?

Any recently updated manual/guide to build succesful SSO in welcome. I've read many threads and guides, but they're often SM7.11 era or older. Which means IIS has changed since as well as Service Manager itself...

thanks!
Valued Contributor
JustinN
Posts: 221
Registered: ‎01-11-2011
Message 2 of 11 (4,057 Views)

Re: Service Manager 9.21 and Single sign-on

The guide from the forums is still accurate for IIS 7.0(Server 2008 R2). However instead of tabs just click on the menu item you would normally right click on and the properties will load in the main portion of the window, along with some additional on the right side panel. They are named close to eachother if they are not the same as IIS 6.0(older versions of IIS release).
The scripts you just need to make are at the end.
The reason SSL is recommended is because you are passing usernames and passwords between locations. You can also setup a certificate(self-signed or verified) for IIS and that will help with the Web-tier too.

The service manager help file "Configure LW-SSO for Service Manager" was useful to get the client sso working.
Also to know what the ini configuratio nsettings and commands do, the help "List: SSL Parameters" will be of great service.
Respected Contributor
Kelalek
Posts: 255
Registered: ‎07-30-2009
Message 3 of 11 (4,057 Views)

Re: Service Manager 9.21 and Single sign-on

Thanks, ffennitsuj. I've that document already. Maybe somebody could update that document to match it with IIS7?

One question regarding that document - already at a step is a phrase "Make sure you have set up SM properly with a web client running using Tomcat/IIS 6.0 with ISAPI filter".

Currently we connect to Service Manager web tier on Apache Tomcat. Does this document expect that before implementing changes that I should be able to login to Service Manager (using username/password) which is running still in Apache Tomcat, but connection is handled by IIS7?

And if so, is there a documentation how to do this and how to test that Service Manager on IIS7 works?
Valued Contributor
JustinN
Posts: 221
Registered: ‎01-11-2011
Message 4 of 11 (4,057 Views)

Re: Service Manager 9.21 and Single sign-on

You should be able to connect to ServiceManager before following these directions through the web-portal and eclipse client.

For the directions I have attached them. I am assuming you are talking strictly about steps 10 and 11 which is why those are the only two I added.

To be fully honest these directions are accurate. They worked for me for SSL and SSO. Yes I had to make some accomodations by reading the "Help" information on SSL parameters, but you cant get away with not understanding the system and just following directions.

Other important notes about implementing on SM 9.21 vs 7:
The application-context.xml will effect the web-portal login/authentication. If the web-page says it cannot display this page when this is turned on it's because you have to add your account that you are currently logged in to for your domain, to the system.
The sm.ini will have sslConnector:0, I set it to 1 for it to work.
I did not do the "isapi filter" directions. They just broke my system. Skip to the sm.cfg wit the stipulation to ignore the "initstring password" if you didnt set one up.
At this point I follow the LW-SSO directions from the help. In these directions the webui enabled="false" instead of true. We also skipped step 5 as it didnt work with SSO because it changes the web-login authentication.


So in short make sure your ServiceManager is working before following these directions. You may have to have already known and setup accounts, the default admin(I believe is falcon). Then, run these directions, then if the eclipse login isnt working try the help guide "Configure LW-SSO in Service Manager" with my stipulations and you should be working.
Valued Contributor
JustinN
Posts: 221
Registered: ‎01-11-2011
Message 5 of 11 (4,057 Views)

Re: Service Manager 9.21 and Single sign-on

For some reason the document was removed when I previewed before posting. Here you go!
Respected Contributor
Kelalek
Posts: 255
Registered: ‎07-30-2009
Message 6 of 11 (4,057 Views)

Re: Service Manager 9.21 and Single sign-on

(Well, I thought I wrote yesterday one more reply but here I go again)

Again thanks for your reply. You wrote:

"I did not do the "isapi filter" directions. They just broke my system. Skip to the sm.cfg wit the stipulation to ignore the "initstring password" if you didnt set one up."

Well, actually my first question was about the first step on the instructions but thanks for updating other steps. First step tells that I should have already running Apache/IIS system with ISAPI filter before attempting single signon tweaks. Could you please tell is this ISAPI filter really needed? When I checked LW-SSO instructions from Service Manager help it wasn't mentioned at all?

I'm a bit puzzled with all these instructions which seem to vary quite a lot? Has anybody succeeded to make a single signon work with instuctions listed in SM920 help document "Configuring HP Service Manager to Use the SSL-based Tusted Sign-On and LW-SSO"?
Valued Contributor
JustinN
Posts: 221
Registered: ‎01-11-2011
Message 7 of 11 (4,057 Views)

Re: Service Manager 9.21 and Single sign-on

We configured our isapi filter at a different time. I did not configure it using the directions from the forum guide. The red marks changes so the isapi filter should be fine with the "default" settings.
MSDN has a good read about ISAPI and what it does. But so you know "ISAPI filters always run on an IIS server." So whether or not you use it it will be available for later use.
I did read the guide from the Help but I got a better understanding from the guide previouslly attached.
Advisor
Xitij
Posts: 13
Registered: ‎08-01-2011
Message 8 of 11 (3,937 Views)

Re: Service Manager 9.21 and Single sign-on

Hi,

 

I have setup webclient via Tomcat. And also IIS 7 is installed on my win 2008 server (64 bit). i have configured all the parts of redirecting the IIS to tomcat.

 

When I type : http://localhost  --- it will open my Tomcat Manager Page.

 

Under that My SM webtier has been deployed. I need to implement SSO here . Please help me to configure here.

 

I have a SM/INDEX.DO OR ESS.DO link on my company' intranet page. As and when we click on that authentication should be automatically done with bypassing the login screen of HPSM.

 

Please help me in this regards. Need ur immediate help.

 

Thanks,

K**bleep**ij Sheth

mail id : crazyboys11@gmail.com ; k**bleep**ijsheth11@yahoo.com

 

 

Advisor
Xitij
Posts: 13
Registered: ‎08-01-2011
Message 9 of 11 (3,079 Views)

Re: Service Manager 9.21 and Single sign-on

Problem has been solved. please contact me if any questions regarding this.

Frequent Advisor
naveenmsn
Posts: 36
Registered: ‎07-17-2011
Message 10 of 11 (2,545 Views)

Re: Service Manager 9.21 and Single sign-on

HI XItij,

 

I have come across same kind of issue.

 

We have single sign on enabled and its every time asking for windows credentials while users were already logged into the web portal

 

COuld you please help me, how can we stop the pop ups which comeup asking for credentials every time. If we check remember password , still it keeps asking.

 

Please help me solve this issue, hw can i stop the pop ups .
I did all changes which needed from the browser internet options side, but still no luck,

 

Thanks

Naveen

Occasional Visitor
DMode
Posts: 1
Registered: ‎10-24-2013
Message 11 of 11 (1,451 Views)

Re: Service Manager 9.21 and Single sign-on

Please, can you tell me how make it the SSO implementation? We follow the documents on our labs without success. We have a Win Server 2008 with IIS 6.0, and we can't see activity on (by example) the isapi_redirect log file...

 

Thanks. 

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.