Administer > Configure CSA > Single Sign-On > Integrate with HP Single Sign-On

Integrate with HP Single Sign-On

HP Single Sign-On (HP SSO) is included with CSA and can be used from the Cloud Service Management Console or Marketplace Portal when launching an application from the Cloud Service Management Console or Marketplace Portal. HP SSO must be installed and configured on the application before single sign-on can be integrated between it and CSA.

This guide provides details about how to integrate HP SSO between the Cloud Service Management Console and the following:

This guide also provides details about how to integrate HP SSO between the Marketplace Portal and HPE IT Business Analytics, see Configure the Showback Report Menu.

You must configure a user (with the same name) for both CSA and the other application for single sign-on. You can also configure LDAP users for single sign-on.To enable single sign-on for LDAP users, you must either configure CSA and the application to use the same LDAP source or, if CSA and the application use different LDAP sources, configure the same users in both sources. In either case, the CSA user must be assigned to the appropriate role to access the tiles that launch the application and the application user must be assigned a role that allows it to perform the expected functions in the application (for example, viewing flows or viewing reports).

Important HP SSO is enabled by default for the Cloud Service Management Console and the Marketplace Portal.

HP Single Sign-On can be disabled. However, you cannot disable HP SSO only for CSA or only for Marketplace Portal. HP SSO can only be disabled for all applications, or not at all. See the next section Disable HP Single Sign-On (HPSSO) for details.

Disable HP Single Sign-On (HPSSO)

If you intend to disable HP Single Sign-On for all applications, you must complete the following two tasks:

Caution If you do disable HP SSO, seamless login without prompting for a password between Marketplace Portal, CSA,OO, HPE IT Business Analytics, and any other application with LWSSO/HPSSO support will no longer work.

Configure the Cloud Service Management Console

To disable validation of the HP SSO token in the Cloud Service Management Console, complete the following steps:

  1. Navigate to the PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/csa.war/WEB-INF directory.
  2. Make a backup copy of the applicationContext-security.xml file.
  3. Open the applicationContext-security.xml file in a text editor.
  4. Search for the checkSSOCookie bean and change the value of attribute checkSSOCookie from true to false.

    <beans:bean id="tokenValidityFilter" class="com.hp.csa.security.TokenValidityFilter">
    <beans:property name="checkSSOCookie" value="false"/>
    </beans:bean>
  5. Save and exit the file.

Configure the Identity Management component

To disable HP SSO for the Cloud Service Management Console and the Marketplace Portal, complete the following steps:

  1. Navigate to the PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/idm-service.war/WEB-INF directory.
  2. Make a backup copy of the web.xml file.
  3. Locate the comment START HP SSO Configuration and comment out the following content:

       <listener>
    <listener-class>com.hp.ccue.identity.hpssoImpl.HpSsoContextListener</listener-class>
       </listener>
       <context-param>
    <param-name>com.hp.sw.bto.ast.security.lwsso.conf.fileLocation</param-name>
         <param-value><PERSISTENT_VOLUME_PATH>/jboss-as/standalone/deployments/idm-service.war/WEB-INF/hpssoConfig.xml
         </param-value>
       </context-param>
  4. Save and exit the file.
  5. Navigate to the PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring directory.
  6. Make a backup copy of the applicationContext-v0.xml file.
  7. Open the applicationContext-v0.xml file in a text editor.
  8. Locate the comment START HP SSO Configuration and comment out the following line:

    <property name="tokenWriter" ref="hpssoTokenWriter"/>

  9. Save and exit the file.
  10. Make a backup copy of the applicationContext-security.xml file in the same directory.

  11. Open the applicationContext-security.xml file in a text editor.
  12. Locate the comment START HP SSO ONLY Configuration and comment out the following content:

    Note If CAC orSAML are configured, the security tags listed below should already be commented out).

        <security:http auto-config="false" pattern="/idm/v0/login" use-expressions="true">
    <security:csrf disabled="true"/>
    <security:custom-filter position="FIRST" ref="requestTokenCompositeFilter"/>
    <security:custom-filter before="PRE_AUTH_FILTER" ref="hpssoProvidedFilter"/>
    <security:custom-filter after="PRE_AUTH_FILTER" ref="hpssoIntegrationFilter"/>
    <security:custom-filter before="FORM_LOGIN_FILTER" ref="noPromptFilter"/>
    <security:http-basic/>
        </security:http>
    
        <security:http auto-config="false" pattern="/idm/v0/logout" use-expressions="true">
    <security:csrf disabled="true"/>
    <security:custom-filter position="FIRST" ref="requestTokenCompositeFilter"/>
    <security:custom-filter before="PRE_AUTH_FILTER" ref="hpssoProvidedFilter"/>
    <security:custom-filter after="PRE_AUTH_FILTER" ref="hpssoIntegrationFilter"/>
    <security:http-basic/>
        </security:http>
    
        <bean class="com.hp.ccue.identity.filter.hpsso.HpSsoFilter" id="hpssoIntegrationFilter">
    <property name="generateTokenUtil" ref="generateTokenUtil"/>
    <property name="tokenFactory" ref="tokenFactory"/>
    <property name="tenantFactory" ref="tenantFactory"/>
    <property name="loginRedirectionHandler" ref="loginRedirectionHandler"/>
    <property name="securityContextConverter" ref="securityContextConverter"/>
    <property name="tokenWriter" ref="hpssoTokenWriter"/>
    <property name="tokenService" ref="tokenService"/>
        </bean>
    
        <bean class="com.hp.ccue.identity.filter.hpsso.HpSsoFilter" id="hpssoVerifyWithoutRedirectFilter">
    <property name="generateTokenUtil" ref="generateTokenUtil"/>
    <property name="tokenFactory" ref="tokenFactory"/>
    <property name="tenantFactory" ref="tenantFactory"/>
    <property name="redirectOnSuccess" value="false"/>
    <property name="securityContextConverter" ref="securityContextConverter"/>
    <property name="tokenWriter" ref="hpssoTokenWriter"/>
    <property name="tokenService" ref="tokenService"/>
        </bean>
    
        <bean class="com.hp.ccue.identity.hpsso.SecurityContextConverter" id="securityContextConverter">
           <property name="tokenFactory" ref="tokenFactory"/>
              <property name="tenantFactory" ref="tenantFactory"/>
    <property name="provider" ref="multiTenantAuthProvider"/>
    <property name="userFactory" ref="userFactory"/>
    <property name="userService" ref="userService"/>
    <property name="authenticationFactory" ref="authnFactory"/>
    <property name="orgService" ref="organizationService"/>
        </bean>
    
        <bean class="com.hp.ccue.identity.hpsso.HpSsoCookieTokenWriter" id="hpssoTokenWriter">
    <property name="tokenStore" ref="tokenStore"/>
    <property name="tokenService" ref="tokenService"/>
    <property name="tokenFactory" ref="tokenFactory"/>
    <property name="userService" ref="userService"/>
        </bean>
  13. If SAML is configured or you are about to configure it without HP SSO, do the following:

    1. Locate the comment START SAML Web SSO with HP SSO and verify that the following content is commented out. If not, comment it out:

          <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
      <security:csrf disabled="true" /><security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
      <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
      <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
      <security:custom-filter ref="samlSsoFilter" before="CAS_FILTER" />
      <security:custom-filter ref="noPromptFilter" before="FORM_LOGIN_FILTER" />
      <security:http-basic />
          </security:http>
      
          <security:http pattern="/idm/v0/logout" use-expressions="true" auto-config="false">
      <security:csrf disabled="true" />
      <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
      <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
      <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
      <security:custom-filter ref="samlSsoFilter" before="CAS_FILTER" />
      <security:custom-filter ref="noPromptFilter" before="FORM_LOGIN_FILTER" />
      <security:http-basic />
          </security:http>
    2. Locate the comment START SAML Web SSO without HP SSO and uncomment the following content:

          <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
      <security:http-basic />
      <security:csrf disabled="true" />
      <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST"/>
      <security:custom-filter position="PRE_AUTH_FILTER" ref="samlSsoFilter" />
            <security:custom-filter ref="noPromptFilter" before="FORM_LOGIN_FILTER" />
          </security:http>
          <security:http pattern="/idm/v0/logout" use-expressions="true" auto-config="false">
      <security:csrf disabled="true" />
      <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
      <security:custom-filter ref="samlSsoFilter" before="CAS_FILTER" />
      <security:custom-filter ref="noPromptFilter" before="FORM_LOGIN_FILTER" />
      <security:http-basic />
          </security:http>
  14. If CAC is configured or you are about to configure it without HP SSO, do the following:

    1. Locate the comment START Certificate Authentication with subjectAlternativeName (with HP SSO) and verify that the following content is commented out. If not, comment it out:

      <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
          <security:http-basic />
          <security:csrf disabled="true" />
          <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
          <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
          <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST"/>
          <security:custom-filter position="X509_FILTER" ref="cacX509AuthenticationFilter" />
          <security:custom-filter ref="cacFilter" before="LAST" />
          <security:custom-filter ref="noPromptFilter" position="LAST" />
      </security:http>
      
      <bean id="cacFilter" class="com.hp.ccue.identity.filter.certificate.CertificateFilter">
          <property name="generateTokenUtil" ref="generateTokenUtil" />
          <property name="tokenFactory" ref="tokenFactory" />
          <property name="tokenWriter" ref="hpssoTokenWriter" />
          <property name="loginRedirectionHandler" ref="loginRedirectionHandler" />
          <property name="authenticationFactory" ref="authnFactory" />
          <property name="persistenceService" ref="persistenceService"/>
          <property name="rolesPopulator" ref="csaRolesPopulator"/>
          <property name="userAndRepFactory" ref="ldapUserAndRepFactory"/>
          <property name="tenantFactory" ref="tenantFactory"/>
          <property name="defaultTenantOrganization" value="${idm.cac.default_tenant_org}" />
      </bean>
    2. Locate the comment START Certificate Authentication with subjectAlternativeName (without HP SSO) and uncomment the following content:

      <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
          <security:http-basic />
          <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST"/>
          <security:custom-filter position="LAST" ref="cacFilter" />
          <security:custom-filter position="X509_FILTER" ref="cacX509AuthenticationFilter" />
      </security:http>
      
      <bean id="cacFilter" class="com.hp.ccue.identity.filter.certificate.CertificateFilter">
          <property name="generateTokenUtil" ref="generateTokenUtil" />
          <property name="tokenFactory" ref="tokenFactory" />
          <property name="loginRedirectionHandler" ref="loginRedirectionHandler" />
          <property name="authenticationFactory" ref="authnFactory" />
          <property name="persistenceService" ref="persistenceService"/>
          <property name="rolesPopulator" ref="csaRolesPopulator"/>
          <property name="userAndRepFactory" ref="ldapUserAndRepFactory"/>
          <property name="tenantFactory" ref="tenantFactory"/>
          <property name="defaultTenantOrganization" value="${idm.cac.default_tenant_org}" />
      </bean>
  15. Save and exit the file.
  16. Restart theCSA pod. See Restart or redeploy individual deployments for instructions.