Administer > Configuration > Single Sign-On > Integrate with HP Single Sign-On

Integrate with HP Single Sign-On

HP Single Sign-On (HP SSO) is included with CSA and can be used from the Cloud Service Management Console or Marketplace Portal when launching an application from the Cloud Service Management Console or Marketplace Portal. HP SSO must be installed and configured on the application before single sign-on can be integrated between it and CSA.

This guide provides details about how to integrate HP SSO between the Cloud Service Management Console and the following:

This guide also provides details about how to integrate HP SSO between the Marketplace Portal and HPE IT Business Analytics, see Configure the Showback Report Menu.

You must configure a user (with the same name) for both CSA and the other application for single sign-on. You can also configure LDAP users for single sign-on.To enable single sign-on for LDAP users, you must either configure CSA and the application to use the same LDAP source or, if CSA and the application use different LDAP sources, configure the same users in both sources. In either case, the CSA user must be assigned to the appropriate role to access the tiles that launch the application and the application user must be assigned a role that allows it to perform the expected functions in the application (for example, viewing flows or viewing reports).

Important HP SSO is enabled by default for the Cloud Service Management Console and the Marketplace Portal.

HP Single Sign-On can be disabled. However, you cannot disable HP SSO only for CSA or only for Marketplace Portal. HP SSO can only be disabled for all applications, or not at all. See the next section Disable HP Single Sign-On (HPSSO) for details.

Disable HP Single Sign-On (HPSSO)

If you intend to disable HP Single Sign-On for all applications, you must complete the following two tasks:

Caution If you do disable HP SSO, seamless login without prompting for a password between Marketplace Portal, CSA,OO, HPE IT Business Analytics, and any other application with LWSSO/HPSSO support will no longer work.

Configure the Cloud Service Management Console

To disable validation of the HP SSO token in the Cloud Service Management Console, complete the following steps:

  1. Navigate to the CSA_HOME/jboss-as/standalone/deployments/csa.war/WEB-INF directory.
  2. Make a backup copy of the applicationContext-security.xml file.
  3. Open the applicationContext-security.xml file in a text editor.
  4. Search for the checkSSOCookie bean and change the value of attribute checkSSOCookie from true to false.

    <beans:bean id="tokenValidityFilter" class="com.hp.csa.security.TokenValidityFilter">
    <beans:property name="checkSSOCookie" value="false"/>
    </beans:bean>
  5. Save and exit the file.

Configure the Identity Management component

To disable HP SSO for the Cloud Service Management Console and the Marketplace Portal, complete the following steps:

  1. Navigate to the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF directory.
  2. Make a backup copy of the web.xml file.
  3. Locate the comment START HP SSO Configuration and comment out the following content:

       <listener>
    <listener-class>com.hp.ccue.identity.hpssoImpl.HpSsoContextListener</listener-class>
       </listener>
       <context-param>
    <param-name>com.hp.sw.bto.ast.security.lwsso.conf.fileLocation</param-name>
         <param-value><CSA_HOME>/jboss-as/standalone/deployments/idm-service.war/WEB-INF/hpssoConfig.xml
         </param-value>
       </context-param>
  4. Save and exit the file.
  5. Navigate to the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring directory.
  6. Make a backup copy of the applicationContext-v0.xml file.
  7. Open the applicationContext-v0.xml file in a text editor.
  8. Locate the comment START HP SSO Configuration and comment out the following line:

    <property name="tokenWriter" ref="hpssoTokenWriter"/>

  9. Save and exit the file.
  10. Make a backup copy of the applicationContext-security.xml file in the same directory.

  11. Open the applicationContext-security.xml file in a text editor.
  12. Locate the comment START HP SSO ONLY Configuration and comment out the following content:

    Note If CAC, SAML or SiteMinder are configured, the security tags listed below should already be commented out).

        <security:http auto-config="false" pattern="/idm/v0/login" use-expressions="true">
    <security:csrf disabled="true"/>
    <security:custom-filter position="FIRST" ref="requestTokenCompositeFilter"/>
    <security:custom-filter before="PRE_AUTH_FILTER" ref="hpssoProvidedFilter"/>
    <security:custom-filter after="PRE_AUTH_FILTER" ref="hpssoIntegrationFilter"/>
    <security:custom-filter before="FORM_LOGIN_FILTER" ref="noPromptFilter"/>
    <security:http-basic/>
        </security:http>
    
        <security:http auto-config="false" pattern="/idm/v0/logout" use-expressions="true">
    <security:csrf disabled="true"/>
    <security:custom-filter position="FIRST" ref="requestTokenCompositeFilter"/>
    <security:custom-filter before="PRE_AUTH_FILTER" ref="hpssoProvidedFilter"/>
    <security:custom-filter after="PRE_AUTH_FILTER" ref="hpssoIntegrationFilter"/>
    <security:http-basic/>
        </security:http>
    
        <bean class="com.hp.ccue.identity.filter.hpsso.HpSsoFilter" id="hpssoIntegrationFilter">
    <property name="generateTokenUtil" ref="generateTokenUtil"/>
    <property name="tokenFactory" ref="tokenFactory"/>
    <property name="tenantFactory" ref="tenantFactory"/>
    <property name="loginRedirectionHandler" ref="loginRedirectionHandler"/>
    <property name="securityContextConverter" ref="securityContextConverter"/>
    <property name="tokenWriter" ref="hpssoTokenWriter"/>
    <property name="tokenService" ref="tokenService"/>
        </bean>
    
        <bean class="com.hp.ccue.identity.filter.hpsso.HpSsoFilter" id="hpssoVerifyWithoutRedirectFilter">
    <property name="generateTokenUtil" ref="generateTokenUtil"/>
    <property name="tokenFactory" ref="tokenFactory"/>
    <property name="tenantFactory" ref="tenantFactory"/>
    <property name="redirectOnSuccess" value="false"/>
    <property name="securityContextConverter" ref="securityContextConverter"/>
    <property name="tokenWriter" ref="hpssoTokenWriter"/>
    <property name="tokenService" ref="tokenService"/>
        </bean>
    
        <bean class="com.hp.ccue.identity.hpsso.SecurityContextConverter" id="securityContextConverter">
           <property name="tokenFactory" ref="tokenFactory"/>
              <property name="tenantFactory" ref="tenantFactory"/>
    <property name="provider" ref="multiTenantAuthProvider"/>
    <property name="userFactory" ref="userFactory"/>
    <property name="userService" ref="userService"/>
    <property name="authenticationFactory" ref="authnFactory"/>
    <property name="orgService" ref="organizationService"/>
        </bean>
    
        <bean class="com.hp.ccue.identity.hpsso.HpSsoCookieTokenWriter" id="hpssoTokenWriter">
    <property name="tokenStore" ref="tokenStore"/>
    <property name="tokenService" ref="tokenService"/>
    <property name="tokenFactory" ref="tokenFactory"/>
    <property name="userService" ref="userService"/>
        </bean>
  13. If SAML is configured or you are about to configure it without HP SSO, do the following:

    1. Locate the comment START SAML Web SSO with HP SSO and verify that the following content is commented out. If not, comment it out:

          <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
      <security:csrf disabled="true" /><security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
      <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
      <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
      <security:custom-filter ref="samlSsoFilter" before="CAS_FILTER" />
      <security:custom-filter ref="noPromptFilter" before="FORM_LOGIN_FILTER" />
      <security:http-basic />
          </security:http>
      
          <security:http pattern="/idm/v0/logout" use-expressions="true" auto-config="false">
      <security:csrf disabled="true" />
      <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
      <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
      <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
      <security:custom-filter ref="samlSsoFilter" before="CAS_FILTER" />
      <security:custom-filter ref="noPromptFilter" before="FORM_LOGIN_FILTER" />
      <security:http-basic />
          </security:http>
    2. Locate the comment START SAML Web SSO without HP SSO and uncomment the following content:

          <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
      <security:http-basic />
      <security:csrf disabled="true" />
      <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST"/>
      <security:custom-filter position="PRE_AUTH_FILTER" ref="samlSsoFilter" />
            <security:custom-filter ref="noPromptFilter" before="FORM_LOGIN_FILTER" />
          </security:http>
          <security:http pattern="/idm/v0/logout" use-expressions="true" auto-config="false">
      <security:csrf disabled="true" />
      <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
      <security:custom-filter ref="samlSsoFilter" before="CAS_FILTER" />
      <security:custom-filter ref="noPromptFilter" before="FORM_LOGIN_FILTER" />
      <security:http-basic />
          </security:http>
  14. If CAC is configured or you are about to configure it without HP SSO, do the following:

    1. Locate the comment START Certificate Authentication with subjectAlternativeName (with HP SSO) and verify that the following content is commented out. If not, comment it out:

      <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
          <security:http-basic />
          <security:csrf disabled="true" />
          <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
          <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
          <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST"/>
          <security:custom-filter position="X509_FILTER" ref="cacX509AuthenticationFilter" />
          <security:custom-filter ref="cacFilter" before="LAST" />
          <security:custom-filter ref="noPromptFilter" position="LAST" />
      </security:http>
      
      <bean id="cacFilter" class="com.hp.ccue.identity.filter.certificate.CertificateFilter">
          <property name="generateTokenUtil" ref="generateTokenUtil" />
          <property name="tokenFactory" ref="tokenFactory" />
          <property name="tokenWriter" ref="hpssoTokenWriter" />
          <property name="loginRedirectionHandler" ref="loginRedirectionHandler" />
          <property name="authenticationFactory" ref="authnFactory" />
          <property name="persistenceService" ref="persistenceService"/>
          <property name="rolesPopulator" ref="csaRolesPopulator"/>
          <property name="userAndRepFactory" ref="ldapUserAndRepFactory"/>
          <property name="tenantFactory" ref="tenantFactory"/>
          <property name="defaultTenantOrganization" value="${idm.cac.default_tenant_org}" />
      </bean>
    2. Locate the comment START Certificate Authentication with subjectAlternativeName (without HP SSO) and uncomment the following content:

      <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
          <security:http-basic />
          <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST"/>
          <security:custom-filter position="LAST" ref="cacFilter" />
          <security:custom-filter position="X509_FILTER" ref="cacX509AuthenticationFilter" />
      </security:http>
      
      <bean id="cacFilter" class="com.hp.ccue.identity.filter.certificate.CertificateFilter">
          <property name="generateTokenUtil" ref="generateTokenUtil" />
          <property name="tokenFactory" ref="tokenFactory" />
          <property name="loginRedirectionHandler" ref="loginRedirectionHandler" />
          <property name="authenticationFactory" ref="authnFactory" />
          <property name="persistenceService" ref="persistenceService"/>
          <property name="rolesPopulator" ref="csaRolesPopulator"/>
          <property name="userAndRepFactory" ref="ldapUserAndRepFactory"/>
          <property name="tenantFactory" ref="tenantFactory"/>
          <property name="defaultTenantOrganization" value="${idm.cac.default_tenant_org}" />
      </bean>
  15. If SiteMinder is configured or you are about to configure it without HP SSO, do the following:

    1. Locate the comment START SiteMinder SSO (with HP SSO) and verify that following content is commented out. If not, comment it out:

          <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
      <security:http-basic />
      <security:csrf disabled="true" />
      <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
      <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
      <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
      <security:custom-filter ref="ssoHeaderFilter" before="CAS_FILTER" />
      <security:custom-filter ref="ssoFilter" before="LAST" />
      <security:custom-filter ref="noPromptFilter" position="LAST" />
          </security:http>
      
          <bean id="ssoFilter" class="com.hp.ccue.identity.filter.sso.SSOFilter">
                <property name="generateTokenUtil" ref="generateTokenUtil" />
             <property name="tokenFactory" ref="tokenFactory" />
      <property name="loginRedirectionHandler" ref="loginRedirectionHandler" />
      <property name="tokenWriter" ref="hpssoTokenWriter" />
      <property name="userAndRepFactory" ref="siteMinderUserAndRepFactory" />
      <property name="groupMembershipHeader" value="${idm.sso.group_membership_header}"/>
      <property name="groupMembershipDelimiter" value="${idm.sso.group_membership_delimiter}"/>
      <property name="defaultTenantOrganization" value="${idm.sso.default_tenant_org}" />
      <property name="enableDefaultOrg" value="${idm.sso.enable_default_org}" />
      <property name="headerMetadataMap" ref="customHeaderMapping"/>
          </bean>
      
          <util:map id="customHeaderMapping" map-class="java.util.HashMap">
      <entry key="header1" value="metadataName1" />
      <entry key="header2" value="metadataName2" />
          </util:map>
    2. Locate the comment START SiteMinder SSO (without HP SSO) and uncomment the following content:

          <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
      <security:http-basic />
      <security:csrf disabled="true" />
      <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
      <security:custom-filter ref="ssoHeaderFilter" position="PRE_AUTH_FILTER" />
      <security:custom-filter ref="ssoFilter" before="LAST" />
      <security:custom-filter ref="noPromptFilter" position="LAST" />
          </security:http>
      
      
          <bean id="ssoFilter" class="com.hp.ccue.identity.filter.sso.SSOFilter">
      <property name="generateTokenUtil" ref="generateTokenUtil" />
      <property name="tokenFactory" ref="tokenFactory" />
      <property name="loginRedirectionHandler" ref="loginRedirectionHandler" />
      <property name="userAndRepFactory" ref="siteMinderUserAndRepFactory" />
          </bean>
  16. Save and exit the file.
  17. Restart CSA. See Restart CSA for instructions.

    Workflow Designer Configuration - SSO

    1. Open the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/hpssoConfig.xml file on first CSA node in text editor and locate the initString value in crypto element.

      Example:

      <crypto initString="2kDcHB0eOHrHcAGeArIPr7TNfuivOpKqjj29SwKOQIoI" cipherType="symmetricBlockCipher" engineName="AES"
      paddingMode="CBC" keySize="256" encodingMode="Base64Url" algorithmPaddingName="PKCS7Padding" checkIntegrity="disabled"
      cryptoSource="lw" directKeyEncoded="false" directKeyEncoding="Hex" jcePbeAlgorithmName="PBEWithHmacSHA1"
      jcePbeMacAlgorithmName="PBEWithHmacSHA1" macAlgorithmName="SHA1" macKeySize="256" macPbeCount="20" macType="hmac"
      pbeCount="20" pbeDigestAlgorithm="SHA1"/>

      If not already done, copy this initString to CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/hpssoConfig.xml of all other CSA nodes.

      Create encrypted version of initString with encrypt-password script. When prompted for password, provide the initString to the script:

      sh# cd $CSA_HOME/workflow-designer/designer/bin
      sh# ./encrypt_password
      Password (typing will be hidden):
      Confirm password (typing will be hidden):
      {ENCRYPTED}xxts33/07Dtyz0iZ3eOQhzFVuqXvZ7KK6wDNm1A4E5+byAxlDZ+lHzwNRPvLgqXf
      sh#
    2. Edit the file CSA_HOME/workflow-designer/designer/var/securitysecured.properties on every CSA node.

    3. Add/Edit the lwsso.initString property with the encrypted initString from encrypt-password sript:

      #This is for limit the size of single CP upload, default 200MB
      upload.max.fileSize.limit = 209715200
      #This is for limit the number of parallel CP creation
      max.parallel.cp.creation = 30
      #This is for limit the number of parallel CP upload
      max.parallel.cp.upload = 50
      is.secured.cookie = true
      lwsso.initString = {ENCRYPTED}xxts33/07Dtyz0iZ3eOQhzFVuqXvZ7KK6wDNm1A4E5+byAxlDZ+lHzwNRPvLgqXf
    4. Edit file CSA_HOME/workflow-designer/designer/tomcat/conf/server.xml on every CSA node. Locate Engine element and add jvmRoute property with unique node name for every workflow-designer node:

      Engine element in server.xml file:
      <Engine defaultHost="localhost" name="Catalina">
       
      On first node change to:
      <Engine defaultHost="localhost" name="Catalina" jvmRoute="ood1">
       
      On second node change to:
      <Engine defaultHost="localhost" name="Catalina" jvmRoute="ood2">
      ...
    5. Restart workflow-designer on every node using command: CSA_HOME/workflow-designer/designer/bin/designer restart