Enable External Authentication of Users
This article contains the following topics:
casm172
This article contains the following topics:
By default, CA Service Catalog uses CA EEM to authenticate users. You can configure CA Service Catalog to authenticate users with external applications such as CA SiteMinder, IBM Tivoli, and others. The process consists of the following tasks:
- Install and implement the external authentication application, according to its documentation.
- Review the following examples and understand how these applications typically send user authentication to CA Service Catalog. If applicable, adjust your settings to match these examples.
- CA SiteMinder sends user identity information (authenticated user) with sm-user artifact name in the request header.
- IBM Tivoli sends user identity information with iv_user artifact name in the request header.
- Microsoft Internet Information Server (IIS) sends user identity information with request when configured for Windows NTLM.
- Apache sends user identity information with request when configured for Windows NTLM.
- Test the configuration on both CA Service Catalog and the external authentication application.
- Verify that CA Service Catalog successfully receives and processes the authenticated users that the external authentication application passes. If necessary, adjust the parameters on both systems as needed.
- Optionally configure Single Sign-On for the authentication method that you are using:
Configure Single Sign-on Using Windows NTLM Authentication
When you use Windows NTLM authentication, you can perform this procedure to enable Single Sign-On for CA Service Catalog. Users log in to the Windows domain, they can access CA Service Catalog without logging in to it.
Follow these steps:
- Verify that you arenotplanning to use clustering. If you are using clustering, instead of performing this procedure, you set up NTLM authentication for each cluster.
- Verify that your environment meets the following requirements:
- You are using Windows domain authentication.
- CA Service Catalog and CA EEM are installed in the same Windows domain.
- You have configured CA EEM to use Active Directory.You are running a version of HTTPhigherthan 1.0.
- If you are using Windows Server, perform one of the following tasks to use single sign-on using NTLM:
- Use HTTP instead of HTTPS.
- Uninstall the Internet Explorer Enhanced Security Configuration Windows Component.
- If both of the following conditions exist, you cannot use single sign-on using NTLM with HTTPS:
- The client computer operating system is Windows Server.
- The Internet Explorer Enhanced Security Configuration Windows Component is installed.
- Perform the following actions:
- ClickAdministration,Configuration,Single Sign On Authentication.
- Locate theSingle Sign On Typeand click the Modify icon.
- Select the optionNTLM (NT LAN Manager)and clickUpdate Configuration.The dialog closes, and you return to the Single Sign On Authentication page.
- Verify that all affected users can use single sign-on to access CA Service Catalog on this computer.
You have configured NTLM Authentication.
Implement Single Sign-on for One Group of Users and Manual Login for Another Group
In this use case, you want to enable single Sign-on for one group of users. For example, internal users (Group 1) You also want to force manual login for another group of users. For example, external users such as contractors, vendors, and customers (Group 2).
Follow these steps:
- Verify that you have two CA Service Catalog computers using the same instances of the MDB and CA EEM. This procedure calls the CA Service Catalog computersServer 1andServer 2.
- Verify the following requirements:
- Group 1 users log in to Server 1only.
- Group 2 users log in to Server 2only.
- If necessary, notify users in each group of this requirement.
- On Server 2, edit the USM_HOME\webapps\usm\WEB-INF\web.xml file. Comment the following lines:<!-- <filter> <filter-name>NtlmAuthFilter</filter-name> <filter-class>com.ca.usm.httpfilter.NtlmAuthenticationFilter</filter-class> <init-param> <param-name>debug</param-name> <param-value>false</param-value> </init-param> </filter> --> <!-- <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>*.rpc</url-pattern> </filter-mapping> <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/wpf/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/uslm/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/assure/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/documents/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/FileStore/*</url-pattern> </filter-mapping> -->Commenting these lines deactivates SSO functionality from this CA Service Catalog computer.
- Restart CA Service Catalog.
Configure Single Sign-on Using External Authentication
When you use external authentication, you can perform this procedure to enable Single Sign-On for CA Service Catalog. Users who are set up in your external authentication system can access CA Service Catalog without logging in to it.
Follow these steps:
- Verify that CA Service Catalog and CA EEM are installed in the same Windows domain.
- Log in to CA Service Catalog running on this computer.
- Perform the following actions:
- ClickAdministration,Configuration,Single Sign On Authentication.
- Locate the propertySingle Sign On Typeand click the Modify icon.
- Select the optionArtifact Based Single Sign Onand clickUpdate Configuration.The dialog closes, and you return to the Single Sign On Authentication page.
- Verify that all affected users can use single sign-on to access CA Service Catalog on this computer.
You have configured external authentication other than Windows NTLM.