Set up Lightweight Single Sign-On (LW-SSO)

If Lightweight Single Sign-On (LW-SSO) is enabled on both the HPE Service Manager server and the Mobile Applications, Service Manager authentication will be bypassed if you have logged into another web application which also has LW-SSO enabled. The detailed bypass critieria includes both the protected domain/IP/DNS name and the initial LW-SSO string.

Enable LW-SSO on the Service Manager server

For detailed information about how to enable LW-SSO on Service Manager server, refer to the HPE Service Manager 9.50 Help Center.

Enable LW-SSO on the Mobile Applications client

To enable LW-SSO on the Mobile Applicationsclient, follow these steps:

  1. Open webapp-9.50.xxxx.war in an archive management program.
  2. Extract the security.xml file from the WEB-INF/spring directory to your local system, and then open this file in a text editor.
  3. Locate the following scripts:

    <!-- <security:custom-filter ref="preAuthenticationFilter" after="SECURITY_CONTEXT_FILTER"/>
        <security:custom-filter ref="lwSsoFilter" before="BASIC_AUTH_FILTER"/>
        <security:custom-filter ref="springSecurity2lwssoIntegrationFilter" position="LAST"/> -->
    

    Uncomment the second line and the third line as follows to enable LW-SSO:

    <!-- <security:custom-filter ref="preAuthenticationFilter" after="SECURITY_CONTEXT_FILTER"/> -->
        <security:custom-filter ref="lwSsoFilter" before="BASIC_AUTH_FILTER"/>
        <security:custom-filter ref="springSecurity2lwssoIntegrationFilter" position="LAST"/>
    
  4. Save the file and add the updated file back to the WEB-INF/spring directory of the webapp-9.50.xxxx.war archive.
  5. Extract the lwssofmconf.xml file from the WEB-INF/classes directory to your local system, and then open this file in a text editor.
  6. Configure the boldface parameters as follows:

    <?xml version="1.0" encoding="UTF-8"?>
    <lwsso-config
        xmlns="http://www.hp.com/astsecurity/idmenablmentfw/lwsso/2.0">
        <enableLWSSO enableLWSSOFramework="true" enableCookieCreation="true" 
    cookieCreationType="LWSSO" enableSAML2Support="false"/>
        <webui>
            <validation>
                <in-ui-lwsso>
                    <lwssoValidation  id="ID000001">
                        <domain>example.com</domain>
                        <crypto cipherType="symmetricBlockCipher"
                            engineName="AES" paddingModeName="CBC" keySize="256"
                            encodingMode="Base64Url"
                            initString="Please put your string here"></crypto>
                    </lwssoValidation>
                </in-ui-lwsso>
            </validation>
    
            <creation>
            
                <lwssoCreationRef id="ID000002">
                    <lwssoValidationRef refid="ID000001"/>
                    <expirationPeriod>60</expirationPeriod>
                </lwssoCreationRef>
    
            </creation>
    
            <logoutURLs>
                <url>.*/std/logout</url>
                <url>.*/std/goodbye</url>
            </logoutURLs>
            
            <multiDomain>
                <trustedHosts>
                   <!-- <DNSDomain>companydomain1.com</DNSDomain>
                    <DNSDomain>companydomain2.com</DNSDomain>
                    <NetBiosName>myserver1</NetBiosName>    
                    <NetBiosName>myserver2</NetBiosName>                
                    <IP>192.168.12.13</IP>      
                    <IP>192.168.12.14</IP>  
                    <FQDN>myserver1.companydomain1.com</FQDN>
                    <FQDN>myserver2.companydomain2.com</FQDN>  -->
                </trustedHosts>
            </multiDomain>
        </webui>
    </lwsso-config>
    
    Required parameters for Mobile Applications client LW-SSO configurations
    Parameter Default value Description
    enableLWSSOFramework false

    Change this value to true to enable the LW-SSO framework.

    domain example.com Change example.com to the domain name of the server host where you deploy your Mobile Applications client.
    initString Please put your string here

    Enter your initial string. This initial string must be same as the initString value in the Service Manager LW-SSO configuration (minimum length: 12 characters). For example, smintegrationlwsso.

    Note Beginning from the <creation> section to the end of the lwssofmconf.xml file, the variables are subject to change according to your actual deployment.

  7. Save the file and add the updated file back to the WEB-INF/classes directory of the webapp-9.50.xxxx.war archive.