ODWEK Authentication Mechanisms

[jg]

Does the ODWEK for CMOD 9.5 support any advanced authentication methods like LDAP?
All I found in the IBM documentation and sample code are references to plain username/password authentication.

Thanks!

[Alessandro Perucchi]

Hello jg,

What are you talking exactly? ODWEK is only the interface to OnDemand.
If you want LDAP, then you need to configure the server, not the client.
If you want a more enhanced way to do authentication, then you might need to write a security user exit on the server side, which has nothing to do with ODWEK.

What you can do with ODWEK and the Java API, is to pass a security token to the server. And this is already available since CMOD V9.0.

That's why you get, as with "any" other solution from any vendor, a method to connect to the server with "user / pwd", or what is new now, "user / token".
This combination is handle then by the server which will then say YES / NO to the authentication. Like any other solution from 99.9% of all software. (I left 0.1%, because there are solutions now that does authentication directly on the workstation of the user without doing any connection with the server, or quite low transfer with the server, and OnDemand is not able to do that today).


That said, could you give us what you really want to do? Because it might already be there since a few years (LDAP is supported since at least CMOD 8.3/8.4 if not more...)

Yours sincerely,
Alessandro

[jg]

Thanks Alessandro for your fast reply!

We need to access CMOD (most likely 9.5) from a web app. The web app itself will be integrated into the clients SSO environment (Kerberos based).
The CMOD server will be integrated into LDAP environment.

Where can I find more details on the authentication mechanisms? I found some Redbooks and this: http://www-01.ibm.com/support/knowledgecenter/SSEPCD_9.5.0/com.ibm.ondemandtoc.doc/installingodwek.htm

Regards
Jochen

[Alessandro Perucchi]

Ahhhhhhhhhhh That's what you need :-) that has nothing to do with LDAP, but SSO !!!

What kind of web application? An application that you will build from "scratch"? Or do you plan to use ICN (IBM Content Navigator)?

In both case, you will need to write a security user exit in CMOD (in C/C++), that will read the user / SSO token that you will receive from your environment.
This security user exit will need to check if the combination user / SSO token is valid (could be done through some web service or some internal check).
Once you've validated with the user exit that your SSO token is valid, then you can allow the user to use CMOD because he is authenticated.

To be honest, I haven't found any documentation on how to do it, but I've done it 2-3 time now. So I have some experience. If I can help you, I will.

Basically for a SSO, it works like that:

A) the user authenticate itself with the main authentication of the company (with card reader, user / password, usb key, fingerprint, whatever...)
B) once the system recognize you with what you provided in A), then it will create some credentials (normally some kind of "SSO Token" that contains lots of information, like validity of the token, user, rights, ...)
C) Then all applications that needs authentication, will use that SSO Token with probably also the user id of the user, but not always. So they need to decrypt this token or to provide this token to a service to verify it. Once verified, then it will authenticate the user to use the wanted app.

With ODWEK, basically you will need to use the method (starting from V9) ODServer.setPassThruToken(...) in order to provide the SSO token to CMOD, and with ODServer.setUserId(...) the username of the user.
After you run ODServer.logon(), the user id and the token are sent to CMOD.
The security user exit will be called with lots of parameters included the userId and the Token.
The security user exit will try to valided it.
If it validated, then it will give to CMOD, an OK.
If not, a Not OK.
And finally CMOD will send to ODWEK the answer OK or Not.
Your web app will then do what he needs to do :-)


I hope I was a bit clear on how to do it in a semi-high level :-) That's not always easy to implement correctly, and this is always something that needs development, because no 2 customers are the same.

With ICN, I've build a standard way to do SSO with CMOD according to the very high level explanation of IBM on that topic.

Regards,
Alessandro

[Alessandro Perucchi]

I've read again your post, and I felt that I needed to give you an additional precision

The explanation I've made before imply that since you need to use this security exit... then you cannot use LDAP at all.
But of course, you can say, if you are using this user/token, then you don't use ldap, just the sso token check.

But if you connect to CMOD via another way (like windows admin client, or windows client), then it will use the "normal" CMOD authentication method that was configured (LDAP or internal).

:-)

[jg]

After looking into this topic a little bit more in detail, some more questions popped up:
- Can I use LDAP authentication (for fat and admin client) and token based based authentication (for ODWEK) at the same time?
- If not, how can CMOD be administrated?
- Does ODWEK support LDAP?

Thanks in advance!

Regards
Jochen

[Lars Bencze]

Alex has given a superb description of how to do user authentication via ODWEK using SSO.
Now;
Has anyone implemented user authentication, via ODWEK Java API, where you DON'T have SSO?
(This request is for a Windows-based CMOD system, so "odServer.unifiedLogon" would be quite possible.)

What we want to do is that users in integrated systems send a request to a web service on a middleware. We want them to use their own UserId to be authorized in CMOD, not a CMOD System account (which the MW team would like).

[Lars Bencze]

Alex has given a superb description of how to do user authentication via ODWEK using SSO.
Now;
Has anyone implemented user authentication, via ODWEK Java API, where you DON'T have SSO?
(This request is for a Windows-based CMOD system, so "odServer.unifiedLogon" would be quite possible.)

What we want to do is that users in integrated systems send a request to a web service on a middleware. We want them to use their own UserId to be authorized in CMOD, not a CMOD System account (which the MW team would like).

I checked with experts in here and with IBM Tech Support - they confirm that the unifiedLogon method cannot be used other than from the machine where it is called. Thus, with a middleware in place, the user that will be logged in when unifiedLogin is called will be the one who is "logged in", i.e. "is running the middleware service" on the middleware server.

So it is confirmed, odServer.unifiedLogon cannot be used to automatically log on web users. We'll have to go for the security exit solution instead.

[Alessandro Perucchi]

Thanks for the answer :-)