Single Sign On

Posted by umangaraj on 08-May-2018 01:52

Hi All,

I need to develop SSO in progress application. Can you please suggest me the proper documents that i can go through for implementing SSO in Progress OE? Can i implement Spring Security or is it possible with Authentication Gateway? Any suggestions to find the proper documents or the workshop for implementing Authentication Gateway in my web application? 

OpenEdge General - Forum

All Replies

Posted by Irfan on 08-May-2018 07:46

Hello,


What kind of application would you like to run SSO. Are you using PASOE and would you like to use SSO with HTTP/S ?

Regards,
Irfan

Posted by Irfan on 08-May-2018 13:17

If you are interested, here is a workshop script we gave on Spring Security. It should have steps on how to perform HTTP SSO.

[View:/cfs-file/__key/communityserver-discussions-components-files/26/PASOE_5F00_Spring_5F00_Workshop_5F00_Slide_5F00_Book_5F00_Revised.pdf:320:240]

Posted by umangaraj on 15-May-2018 06:22

Hello Irfan,

Thank you for your response.

I have gone through the document. Configured my application to use STS service but when i login to my application i find an error "500 - Server Error: the server could not produce a response entity due to an internal error - POST /testNew/static/auth/j_spring_security_check".

HTTP status: 500

Error detail: java.lang.NoClassDefFoundError ; Could not initialize class com.progress.common.util.LibStsKey

Do you have any idea how to overcome this?

Regards,

Umanga

Posted by Matt Baker on 15-May-2018 09:19

noclassdeffounderror usually indicates you are missing something the class depends on.  LibStsKey needs a .dll so may be that failed to load? Sharing the root cause rather than the final problem error message would help.

Posted by Irfan on 15-May-2018 12:49

Hi Umanga,

I thought you wanted to use a HTTP SSO instead of STS. Isn't that your use-case ?

Posted by umangaraj on 18-May-2018 01:30

HI Irfan,

I saw the materials for STS and in the mean time i tried to use STS in my application.

Do you have any white paper on how to configure LDAP and use it with HTTP SSO?

Regards,

Umanga

Posted by Irfan on 18-May-2018 02:52

In the attached document, from slide no-43 we talk about HTTP SSO.

Posted by bernhardkraml on 18-May-2018 04:59

Maybe, the attachment is missing?

-bernhard

Posted by Irfan on 18-May-2018 06:39

It is attached in this post, but here is the direct link - community.progress.com/.../PASOE_5F00_Spring_5F00_Workshop_5F00_Slide_5F00_Book_5F00_Revised.pdf

Posted by Blake Stanford on 27-Feb-2020 20:26

Irfan,  

I've run through the example for using PASOE as a token producer from the referenced document.  I have not been successful! :(

I'm running on 11.7.5 with a windows 10 PASOE instance.  I'm using local for the authmanager using Postman i issue the following request:

 --method POST \

 --timeout=0 \

 --header 'Accept: application/json' \

 --header 'Content-Type: multipart/form-data; boundary=--------------------------402823437541950243094182' \

 --body-data 'j_username=bstan&j_password=bstan&submit=Login' \

  'localhost:8170/.../j_spring_security_check

I get the following response back:

"error": "sso.token.unauthorized_client",

   "error_description": "Internal token error"

I've turned up logging and find the following in the logs which leads me to believe that my post is incorrect, the username doesn't appear to be getting in:

12:50:38.288/22257 [thd-2] DEBUG c.p.a.services.security.OEMdcFilter - Update request user-id source is: nullUser

12:50:38.288/22257 [thd-2] DEBUG c.p.a.services.security.OEMdcFilter - MDC UID policy IFREQUIRED is not changing request user-id from unknown token type

12:50:38.288/22257 [thd-2] DEBUG o.s.security.web.FilterChainProxy - /static/auth/j_spring_security_check at position 5 of 18 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'

12:50:38.288/22257 [thd-2] DEBUG o.s.security.web.FilterChainProxy - /static/auth/j_spring_security_check at position 6 of 18 in additional filter chain; firing Filter: 'HeaderWriterFilter'

12:50:38.288/22257 [thd-2] DEBUG o.s.security.web.FilterChainProxy - /static/auth/j_spring_security_check at position 7 of 18 in additional filter chain; firing Filter: 'LogoutFilter'

12:50:38.288/22257 [thd-2] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/static/auth/j_spring_security_check'; against '/static/auth/j_spring_security_logout'

12:50:38.288/22257 [thd-2] DEBUG o.s.security.web.FilterChainProxy - /static/auth/j_spring_security_check at position 8 of 18 in additional filter chain; firing Filter: 'OECPRefreshFilter'

12:50:38.288/22257 [thd-2] TRACE c.p.a.s.security.OECPRefreshFilter - Refresh URI /idp/static/auth/j_spring_security_check match to required URI /idp/static/auth/token status: false

12:50:38.289/22258 [thd-2] DEBUG o.s.security.web.FilterChainProxy - /static/auth/j_spring_security_check at position 9 of 18 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'

12:50:38.289/22258 [thd-2] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/static/auth/j_spring_security_check'; against '/static/auth/j_spring_security_check'

12:50:38.289/22258 [thd-2] DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Request is to process authentication

12:50:38.290/22259 [thd-2] DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider

12:50:38.292/22261 [thd-2] DEBUG o.s.s.a.d.DaoAuthenticationProvider - User '' not found

12:50:38.293/22262 [thd-2] TRACE o.s.w.c.s.XmlWebApplicationContext - Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1f: Principal: ; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 96E709E58456367F93D9D0B99394677D17AB5DE9405A.oeidp; Not granted any authorities]

12:50:38.293/22262 [thd-2] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'authenticationLoggerSink'

12:50:38.295/22264 [thd-2] DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials

org.springframework.security.authentication.BadCredentialsException: Bad credentials

at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:151) ~[spring-security-core-4.1.3.RELEASE.jar:4.1.3.RELEASE]

Any help would be appreciated.

Posted by Michael Jacobs on 27-Feb-2020 22:21

The log entry with: "DaoAuthenticationProvider - User '' not found" is the key indicator.   That is not a double quote in the log entry, but single quotes around a blank user-id.   It indicates the server's authentication provider did not find a html form field of j_username.   Apparently when spring asks Tomcat for a form field that Tomcat cannot find, it substitutes a blank string - silently.   Has to have something to do with how the request body is formatted.

Posted by Irfan on 28-Feb-2020 05:11

Blake,

As Mike pointed out, it looks there is a problem with your client program and it could not send the values correctly to the PASOE Server. You might already seen the javascript example in the attachment. In-case you want to do something in ABL then I am attching an ABL HTTP Client example also for your reference.

/*------------------------------------------------------------------------
    File        : HTTPSSOClient.p
    Purpose     :

    Syntax      :

    Description : SSO Client to get the OE CP token and pass it in the header
     			  while invoking other OE Services.		

    Author(s)   :
    Created     : Tue Feb 14 06:57:01 EST 2017
    Notes       :
  ----------------------------------------------------------------------*/

/* ***************************  Definitions  ************************** */

BLOCK-LEVEL ON ERROR UNDO, THROW.

/* ********************  Preprocessor Definitions  ******************** */


/* ***************************  Main Block  *************************** */
USING Progress.Lang.*.
using OpenEdge.Core.Collections.IStringStringMap.
using OpenEdge.Core.Collections.StringStringMap.
using OpenEdge.Net.HTTP.ClientBuilder.
using OpenEdge.Net.HTTP.Cookie.
using OpenEdge.Net.HTTP.CookieJarBuilder.
using OpenEdge.Net.HTTP.ICookieJar.
using OpenEdge.Net.HTTP.IHttpClient.
using OpenEdge.Net.HTTP.IHttpRequest.
using OpenEdge.Net.HTTP.IHttpResponse.
using OpenEdge.Net.HTTP.RequestBuilder.
using Progress.Json.ObjectModel.JsonObject.
using Progress.Lang.Object.
using OpenEdge.Core.String.
USING OpenEdge.Net.HTTP.Credentials FROM PROPATH.
USING OpenEdge.Net.HTTP.IHttpClientLibrary.
USING OpenEdge.Net.HTTP.Lib.ClientLibraryBuilder.
USING OpenEdge.Net.HTTP.ClientBuilder.




def    var      oClient       as IHttpClient.
def    var      oReq          as IHttpRequest.
def    var      oReq1         as IHttpRequest.

ef    var      oResp         as IHttpResponse.
def    var      oResp1        as IHttpResponse.
def    var      oForm         as IStringStringMap.
def    var      oCookies      as Cookie             extent.
def    var      iLoop         as int.
DEFINE VARIABLE oLib          AS IHttpClientLibrary NO-UNDO.
DEFINE variable ssoURL        as char               no-undo.
def    var      JObj          as JsonObject.
def    var      access_token  as char.
def    var      serviceURL    as char.


OUTPUT to "SSOClient.out".


// Perform a successful authentication and get a valid access_token

serviceURL = "localhost:8810/.../j_spring_security_check".

oForm = new StringStringMap().
oForm:Put('j_username', "restuser").
oForm:Put('j_password', "password").

oClient = ClientBuilder:Build()
                        :Client.

oReq = RequestBuilder:Post(serviceURL, oForm)
            :ContentType('application/x-www-form-urlencoded')
            :AcceptJson()
            :Request.


do iLoop = extent(oCookies) to 1 by -1:
    oReq:SetCookie(oCookies[iLoop]).
end.

oResp = oClient:Execute(oReq).
oResp:GetCookies(output oCookies).


// Get access_token
JObj = cast(oResp:Entity,JSONObject).

access_token =  JObj:GetCharacter("access_token").
oLib = ClientLibraryBuilder:Build()
                 :Library.

                 Client = ClientBuilder:Build()
                        :Client.

// Perform SSO using the token recieved earlier
serviceURL = "localhost:8810/.../_oeping".

oReq1 = RequestBuilder
            :Get(serviceURL)
            :AddHeader('Authorization','oecp ' + access_token)
            :AcceptJson()
            :Request.

oResp1 = oClient:Execute(oReq1).

// Print the SSO Output for the authorized OE Service
if type-of(oResp1:Entity, JsonObject) then
do:
    message String(cast(oResp1:Entity, JsonObject):GETJSONTEXT ()) VIEW-AS ALERT-BOX.

end.



OUTPUT CLOSE.

Posted by Michael Jacobs on 28-Feb-2020 13:19

Getting Postman to work was a bit of a challenge.  

I turned off all of the auto generated headers.

I made sure it was not doing any authentication.

No URL parameters were defined.

I turned off all of the automatic redirects.

I selected the body style: x-www-form-urlencoded

I sent the html form fields j_username & j_password   ( 'keys' in the UI)

I configured the headers:

   accept:text/html,application/json

Try this in your Postman and check that you do not get the "User '' not found" log entry.

This thread is closed