Advanced Techniques - Mixed authentication




In the Users module, you can define different authentication methods for your portal via the Main menu: User/Configuration/Authentication: The descriptions of the settings in the corresponding dialog can be found here. Intrexx authentication is widely used in extranet situations. Single Sign On (SSO) – Windows authentication is widely used for intranets. LDAP authentication is principally used for extranets. However, there are also scenarios where the authentication requirements cannot all be met with just one method. A solution where multiple authentication methods are offered is known as mixed authentication; and possible scenarios include:

Customizations

Settings will need to be adjusted in the webserver configuration – Internet Information Services (IIS) or Tomcat. Our first example covers the amendments for IIS. It may also be necessary to setup or revise the configuration of a reverse proxy. Also, these two files in the Portal directory \internal\cfg directory will need to be customized:

Sample om.cfg file

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
	<authentication anonymous="05CE8CE3035924F7D3088895F1D87DADD65CFAE4">
		<binding scope="odataservice" auth-type="IntegratedAuthClient"/>
		<binding scope="web" auth-type="MyDemoAuth"/>
		<binding scope="documentintegration" auth-type="IntegratedAuth"/>
		<binding scope="client" auth-type="IntegratedAuthClient"/>
		<binding scope="webservice" auth-type="IntegratedAuthClient"/>
		<webserver-configuration plain-text-auth="false" integrated-auth="true" insecure-basic="false"/>
		<mobile-devices plain-text-auth="never"/>
	</authentication>
	<security pwd-dictionary="....."/>
	<organization default-container-guid="...."/>
</configuration>

Sample additional section for LucyAuth.cfg file

MyDemoAuth
{
	de.uplanet.lucy.server.auth.module.integrated.IntegratedLoginModule sufficient
		debug=false;

	de.uplanet.lucy.server.auth.module.ldap.LdapBindLoginModule sufficient
		java.naming.provider.url="ldap://directoryserver.example.org:389"
		java.naming.security.Authentifizierung="simple"
		java.naming.security.principal="$[DN]"
		debug=false;

	de.uplanet.lucy.server.auth.module.intrexx.IntrexxLoginModule sufficient
		debug=false;

	de.uplanet.lucy.server.auth.module.anonymous.AnonymousLoginModule sufficient
		debug=false;
};

IIS Configuration changes

The solution demonstrated here uses an alternative URL for the second authentication method (in this case, Intrexx authentication). In the example shown, the portal URL is demo8, and the alternative URL is demo8_2. A configuration with just one URL would require an additional network card in the Intrexx portal server.



To setup the alternative URL, in the IIS Manager, under Connections, open the context menu of the Default Web Site and select Add Application.



The two example applications have the same physical path. This will be the Portal directory \external\htmlroot.

ASP Configuration (for each website URL)




Open the ASP properties of demo8 by double-clicking on the ASP option in the middle area (Configure properties for ASP applications).



Define th property Enable Parent Paths = True. Repeat the change for demo8_2.

Authentication configuration for the portal URL demo8: SSO




Open the authentication settings of demo8 by double-clicking on the Authentication option in the middle area (Configure authentication settings for sites and applications).



Apply the following settings:

Authentication configuration for the alternative URL demo8_2: Intrexx login

Open the authentication settings of demo8_2 by double-clicking on the Authentication option in the middle area (Configure authentication settings for sites and applications).



Apply the following settings: When all of the configuration changes have been made, the portal service needs to be restarted.

Configuration with LDAP and Intrexx authentication

If the authentication methods LDAP and Intrexx are provided, both of the files LucyAuth.cfg and om.cfg need to be modified. The file LucyAuth.cfg should be adjusted as follows:
MyDemoAuth2
{
	de.uplanet.lucy.server.auth.module.ldap.LdapBindLoginModule sufficient
		java.naming.provider.url="ldap://directoryserver.example.org:389"
		java.naming.security.authentication="simple"
		java.naming.security.principal="$[DN]"
		debug=false;

	de.uplanet.lucy.server.auth.module.intrexx.IntrexxLoginModule sufficient
		debug=false;

	de.uplanet.lucy.server.auth.module.anonymous.AnonymousLoginModule sufficient
		debug=false;
};
Using a secure connection (e.g. LDAP) is recommended here. To achieve this, you need to start by importing the LDAP certificate into the portal. Additionally, the following row needs to be adjusted in the MyDemoAuth2 section:
java.naming.provider.url="ldap://directoryserver.example.org:389"
Change this to:
java.naming.provider.url="ldaps://directoryserver.example.org:636"
The file om.cfg needs to be adjusted as follows:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
	<authentication anonymous="05CE8CE3035924F7D3088895F1D87DADD65CFAE4">
		<binding scope="web" auth-type="MyDemoAuth2"/>
		<binding scope="client" auth-type="IntrexxAuth"/>
		<binding scope="webservice" auth-type="IntrexxAuth"/>
		<binding scope="odataservice" auth-type="ODataAuth"/>
		<binding scope="documentintegration" auth-type="IntrexxAuth"/>
		<webserver-configuration plain-text-auth="false" integrated-auth="false"/>
        <mobile-devices plain-text-auth="never"/>
	</authentication>

	<security/>
	<organization default-container-guid="..." default-distlist-guid="..."/>
</configuration>
Again, when the changes have been made, the portal service needs to be restarted.