You can use Windows Active Directory or LDAP for logon account password authentication.
Single sign-on is a mechanism that allows multiple applications to be used with one authentication (log on).In order to realize single sign-on, it is necessary to prepare "authentication server".Through the authentication server, we can deal with many authentications including authentication methods such as Windows Active Directory/LDAP.
Wagby is an open source authentication server Central Authentication Service (CAS) Are bundled.When you set up authentication using CAS,
Http: // server name: 8921/wagby /
Once you have access to
Http: // server name: 8921/cas/login
It will be transferred to.Use the CAS logon screen shown below to authenticate.
Here, login authentication is performed using the user ID/password registered in Windows Active Directory/LDAP.After the authentication, it transits to the menu screen of the Wagby application.
Set "Environment> Server".
On the Windows Active Directory server, you can use the dsquery command to check the DN of user information. For example, the DN of the user admin can be examined as follows.
C:\Users\jasmine>dsquery user -name admin "CN=admin,CN=Users,DC=jasminesoft,DC=co,DC=jp"
We will assume the following environment as an example of application in the company.
The setting is as follows.
|LDAP server URL||ldap://A.B.com/|
|DN of user information||%u@B.com|
|Search start entry for user information||(Blank)|
|Search range of user information||(Blank)|
|CAS server URL prefix||http://app.B.com:8921/cas|
|URL of the service to which authentication is applied||http://app.B.com:8921|
As a usage example at university, we assume the following environment.
The setting is as follows.
|LDAP server URL||ldap://ldap.sample.ac.jp/|
|DN of user information||uid=%u|
|Search start entry for user information||dc=sample,dc=ac,dc=jp|
|Search range of user information||Subtree|
|CAS server URL prefix||http://app.sample.ac.jp:8921/cas|
|URL of the service to which authentication is applied||http://app.sample.ac.jp:8921|
In order to perform user authentication using Windows Active Directory/LDAP, it is necessary to register the same account/user in both Wagby and Windows Active Directory/LDAP.
Introduction Register account/user "admin".Because the account "admin" is registered as a standard in Wagby in advance, you can log on to Wagby by registering user "admin" in Windows Active Directory/LDAP.
After creating another user with Windows Active Directory/LDAP, please create the same account on Wagby side.
This section shows how to add user "admin" to Windows Active Directory of Windows Server 2008 Standard.As a precondition, it is assumed that the Windows Active Directory server and the domain "jasminesoft.co.jp" are already prepared.
Create an account (juser) in Wagby."Affiliated group" "Principal" can be set as usual.
As for the password, it is treated as follows.
The same account/user must be registered with Wagby and Windows Active Directory/LDAP.
Even if you register your account on the Wagby side, you can not log on unless you register the same account in Windows Active Directory/LDAP.
Wagby's account is used for authority setting of belonging group and principal, but password of user Active Directory/LDAP is used for user authentication.Password setting is necessary at the time of account registration, but it is ignored during operation.Therefore, please set the password as dummy data.
In addition, passwords set and changed by Wagby are not reflected in Windows Active Directory/LDAP.
With this setting, if the user logs on for the first time (instead of the logon screen Wagby provides as standard) the CAS screen will be displayed.
If you enter the Windows account and password here, it will transition to the Wagby menu screen after authentication.
Permission information set by Windows Active Directory/LDAP can not be used by Wagby.
Wagby's authority information is managed within Wagby.Please make authority setting of belonging group, principal etc. to account on Wagby.
The CAS configuration file is provided below.
If you can not connect properly, please modify this file directly with reference to the CAS manual.
You can customize the CAS screen.
The logon screen and the screen after logoff are realized by the following files.
You can customize the screen by rewriting this file.
After editing the file, by placing it in the customization folder below, the next build will be reflected automatically.
The CAS used by Wagby is a product for realizing single sign-on.Therefore, even if logging off with Wagby, CAS is still "logged on".This is to keep authentication to other systems using CAS.
It is necessary to access to http:// xxx/cas/logout separately after Wagby logoff processing.For this reason we will modify logoff.jsp which Wagby provides as standard.
Specifically, logoff.jspAt the beginningAdd the following line.
<c:redirect url="http://xxx/cas/logout" />
Save the modified logoff.jsp in the customize/webapp/system folder.(Since the system folder is not prepared in the state immediately after installation, please also create a folder.) By doing this, logoff.jsp that has always been modified in the next build process will be used.
From the security point of view, please close the browser after CAS logout.This is the method recommended by CAS.