Set up trusted sign-on (TSO)

Trusted sign-on (TSO) or Single sign-on is an optional Mobile Applications configuration that relies on a working SSL configuration, and integration with a trusted authentication source such as CA SiteMinder, IBM Webseal, and Integrated Windows Authentication. It also requires a web server to accept the pre-authenticated HTTP header information from your authentication source.

For more information, refer to Setting up Single Sign-on in Service Manager.

When you enable trusted sign-on (TSO), Mobile Applications will used the username of the user represented by the Principal to bypass the HPE Service Manager log-on screen, and then enter the application directly.

Enable TSO on the Service Manager server

In the sm.ini file, add the following parameter:

trustedsignon:1

For detailed information, refer to Setting up Single Sign-on in Service Manager.

Enable TSO on the Mobile Applications client

To enable TSO on the Mobile Applications client, follow these steps:

  1. Open webapp-9.52.xxxx.war in an archive management program.
  2. Extract the web.properties file from the WEB-INF directory to your local system, and then open this file in a text editor.
  3. Locate the isCustomAuthenticationUsed script and set the value to false:

    # Set false to enable Trusted Sign-on
    isCustomAuthenticationUsed=false
  4. Save the file and add the updated file back to the WEB-INF directory of the webapp-9.52.xxxx.war archive.
  5. Extract the security.xml file from the WEB-INF/spring directory to your local system, and then open this file in a text editor.
  6. Locate the following scripts:

    <!-- <security:custom-filter ref="preAuthenticationFilter" after="SECURITY_CONTEXT_FILTER"/>
        <security:custom-filter ref="lwSsoFilter" before="BASIC_AUTH_FILTER"/>
        <security:custom-filter ref="springSecurity2lwssoIntegrationFilter" position="LAST"/> -->
    

    Uncomment the first line as follows to enable TSO:

    <security:custom-filter ref="preAuthenticationFilter" after="SECURITY_CONTEXT_FILTER"/>
        <!--  <security:custom-filter ref="lwSsoFilter" before="BASIC_AUTH_FILTER"/>
        <security:custom-filter ref="springSecurity2lwssoIntegrationFilter" position="LAST"/> -->
    

    Or,

    For HTTP header pre-authentication, locate the following scripts and uncomment it:

    <!--<security:custom-filter ref="httpHeaderPreAuthenticationFilter" after="SECURITY_CONTEXT_FILTER"/>-->
  7. Locate the httpHeaderPreAuthenticationFilter bean definition, and then at least change the principalRequestHeader setting, corresponding to the Header your Identity Management solution uses. For Webseal, iv-user is used as the value of principalRequestHeader, Siteminder often uses sm_user or sm_universalid. Note that this setting is case sensitive.

  8. Save the file and add the updated file back to the WEB-INF/spring directory of the webapp-9.52.xxxx.war archive.
  9. Configure the deployment environment to support the mobile system to receive the customized user information for authentication.