SSO Plugin
Release notes
J System Solutions
http://www.javasystemsolutions.comWhat's new ... 3
Improved Integrated Windows Authentication ... 3
BMC ITSM self service ... 3
Improved BMC ITSM Incident integration ... 3
Improved user interface ... 4
Improved Active Directory account creation tool ... 4
Configuration simplification on BMC AR System ... 4
Native CA SiteMinder and RSA Access Manager (ClearTrust) support ... 4
LDAP authentication... 5
Page 3 of 6
http://www.javasystemsolutions.com
What's new
We are pleased to announce the next major release of the JSS SSO Plugin, the industry standard SSO implementation for BMC and HP products, featuring new integrations and enhanced existing functionality.
This document presents the notable changes and key bug fixes to the SSO Plugin.
Improved Integrated Windows Authentication
This has other names, such as Windows Active Directory authentication and is the process of opening Internet Explorer (or other browsers) in a corporate Windows Domain and accessing an application without logging in.
In previous versions of SSO Plugin, a computer service account was required for each Java web server (ie Apache Tomcat running BMC Mid Tier, HP Web Tier, etc.) to enable NTLM authentication, part of the IWA protocol.
This version of SSO Plugin provides a tightly integrated solution that requires no computer account when running the Java web server on a Windows server machine.
BMC ITSM self service
Administrators know how difficult it is to keep the ITSM application up to date with users joining the organisation. Administrators have to run nightly LDAP queries that consume vast amounts of server resources, often resulting in few changes to the database.
The product now boasts ITSM self service registration facilities for users who do not have an ITSM account. The user is required to enter a few pieces of information (first and last name, an email address and a phone number), and the product
automatically creates an account and provisions access.
BMC ITSM does not offer this functionality and there are no third party tools to achieve anything similar.
Improved BMC ITSM Incident integration
BMC ITSM has no facility to automatically raise an incident when a user can not access the system. This results in an unhelpful user experience for ITSM users, who see login pages or 'access denied' pages when trying to access ITSM with a simple “match SSO user to ITSM user” solution.
SSO Plugin provides functionality to manage user access issues and automatically raise an incident. This functionality has existed for a couple of years and has been extended in this release. The incident field mapping is now fully user customisable, and different mappings can be attached to different types of authentication issue. For example, the incident may need to be routed to one team for Kerberos/NTLM issues, and another team for ITSM group provisioning.
BMC ITSM does not offer this functionality and there are no third party tools to achieve anything similar.
Improved user interface
SSO deployments are not always simple and can be complicated when dealing with built-in Active Directory integration and load balancers.
The product user interface continues to improve and help users avoid misconfiguration, and more improvements are present in this release, ie.
Providing links to online tutorials on how to configure SSO Plugin in various deployments, when the product thinks the configuration may not be correct.
Automatically detecting common mis-configurations with Apache Tomcat and providing links to tutorials on how to correct these issues.
Monitoring the BMC AR System configuration file (ar.cfg) for misconfiguration.
The user's groups (in BMC AR System or HP Service Manager) are listed in the Test SSO page.
Improved Active Directory account creation tool
The product includes a script called set-service-account.cmd which can be used to create a computer account and assign Service Principal Names (SPNs). Given most deployments involve multiple Java web servers behind a load balancer, the script has been improved to generate all of the accounts required for this type of
deployment, ie a computer account for each NTLMv2 configuration, and a shared account for the Kerberos configuration.
Configuration simplification on BMC AR System
Previous releases had configurable Mid Tier and Windows User Tool shared keys. These have now been removed in place of the jss-sso-salt value in the ar.cfg file. This value was always more random and longer than the shared keys.
Native CA SiteMinder and RSA Access Manager (ClearTrust) support
Previous versions of SSO Plugin used an Apache front end to provide the SSO username for CA SiteMinder and RSA Access Manager. Both of these products provide a Java library to process their own SSO tokens, and SSO Plugin now supports both of them.
Previously, the SiteMinder and Access Manager configuration options merely looked for the correct HTTP headers. These configuration options now reveal configuration for both of these products, however they are only enabled if the relevant APIs have been found:
SiteMinder: The smjavaagent.jar file must be present on the classpath, and the Netegrity native libraries must also be configured with the Java web server.
ClearTrust: The ct_runtime_api.jar must be present on the classpath. For installations that will continue to use an Apache front end, the custom header/cookie configuration option can be used to retrieve the SSO username.
Page 5 of 6
http://www.javasystemsolutions.com
Given these two features are new and each SiteMinder/ClearTrust deployment is different in some way, JSS will provide testing/installation support for customers interested in removing the Apache front end and using SSO Plugin's native support.
LDAP authentication
Some organisations need to integrate with a traditional LDAP and whilst this does not provide a ‘seamless’ sign-on, ie open Internet Explorer and access an application without logging in, it does provide a single point of sign on between different
applications, ie BMC/HP ITSM and SAP Business Objects.
This release of SSO Plugin provides an LDAP authentication module that’s easily configurable from the user interface.
Upgrades for existing customers
The release is available at no cost to customers that are enjoying our support
service. Simply download the product and consult the installation manual for upgrade steps, or contact JSS support for assistance.
