Use single sign-on (SSO) with XpoLog

Owned by Haim Koschitzky
Last updated: Apr 06, 2014 by Omry Koschitzky
3 min read

This section describes how to configure XpoLog to work with your SSO solution for validating users authentication.
Configuring XpoLog to work with SSO requires that XpoLog instance which is accessed via SSO is secured behind an HTTP proxy or web agent. The HTTP proxy you configure is then responsible for handling authentication and is the only entity capable of communicating with XpoLog. 

Active Directory

XpoLog expects that your user authentication is handled by a web proxy. The web proxy server must be configured to authenticate against the external authentication system (for example AD). Once a user has been authenticated by the proxy, the proxy must insert the authenticated user's username as a REMOTE_USER header in all HTTP requests forwarded to XpoLog.

XpoLog accepts incoming HTTP requests which include a REMOTE_USER header from a trusted proxy. If the user in the REMOTE_USER header is not currently authenticated by XpoLog, an authentication request is made to XpoLog via a trusted authentication endpoint the XpoLog process provides. If REMOTE_USER is not provided in every request, the REMOTE_USER is assumed to not be authenticated and will receive a XpoLog login screen.

Note: If your proxy uses some other remote user header name besides REMOTE_USER, you can change the name of the header as described below:

The settings include:

  • General
     

  •  

    • User header key - key used by the trusted authentication endpoint on authenticated users in the HTTP header (comma separated list. For example: REMOTE_USER)
      XpoLog uses the header key(s) to validate the user's authentication and to retrieve information regarding the user. If more than one key is provided, XpoLog will use the keys one by one to try and retrieve the information.

    • Protected URLs - a list of the trusted authentication endpoint(s) which XpoLog will allow authentication from (comma separated list, wild card supported).

    • Click saveThe SSO configuration is saved.



Set up a proxy server
XpoLog SSO implementation supports most proxy servers. The proxy server must handle its own authentication and must insert the authorized username into a REMOTE_USER (or equivalent) header for all HTTP requests it forwards to XpoLog.

Site Minder

XpoLog's integration to SiteMinder supports a scenario where there are SiteMinder's web agents in-front of XpoLog. Users are performing the login operation directly against the SiteMinder, and then being redirected to XpoLog. XpoLog is validating the user's authentication and retrieving the information from SiteMinder. 

The SiteMinder settings include:

  • General
     

  •  

    • User header key - key used by the SiteMinder on authenticated users in case where information can be retrieved from the HTTP header (comma separated list. For example: HTTP_SM_USER, HTTP_UID)
      XpoLog uses  the header key(s) to validate the user's authentication and to retrieve information regarding the user. If more than one key is provided, XpoLog will use the keys one by one to try and retrieve the information.

    • Client cookie name - cookie name used by the SiteMinder on authenticated users in case where information can be retrieved from a cookie  (for example: SMSESSION)
      XpoLog uses the cookie name to validate the user's authentication and to retrieve information regarding the user.

    • Protected URLs - a list of the protected SiteMinder web agents URLs which XpoLog will allow authentication from (comma separated list, wild card supported).

    • Group header key - key used by the SiteMinder, used in order to retrieve from the HTTP header information regarding the authenticated user's group(s). 
      XpoLog is using the header key(s) to retrieve information regarding the user's group(s). If more than one key is provided, XpoLog will use the keys one by one to try and retrieve the information.

    • Group id pattern - used if a specific value should be retrieved from the authenticated user's group.

    • User HTTP request keykey used by the SiteMinder on authenticated users in case where information can be retrieved directly from the HTTP request (comma separated list. For example: HTTP_SM_USER, HTTP_UID)
      XpoLog is using the request key(s) to validate the user's authentication and to retrieve information regarding the user. If more than one key is provided, XpoLog will use the keys one by one to try and retrieve the information.

      Click saveThe SiteMinder configuration is saved.