Enable External Authentication of Users

This article contains the following topics:
casm173
This article contains the following topics:
By default, CA Service Catalog uses CA EEM to authenticate users. You can configure CA Service Catalog to authenticate users with external applications such as CA SiteMinder, IBM Tivoli, and others. The process consists of the following tasks:
  1. Install and implement the external authentication application, according to its documentation.
  2. Review the following examples and understand how these applications typically send user authentication to CA Service Catalog. If applicable, adjust your settings to match these examples.
    • CA SiteMinder sends user identity information (authenticated user) with sm-user artifact name in the request header.
    • IBM Tivoli sends user identity information with iv_user artifact name in the request header.
    • Microsoft Internet Information Server (IIS) sends user identity information with request when configured for Windows NTLM.
    • Apache sends user identity information with request when configured for Windows NTLM.
  3. Test the configuration on both CA Service Catalog and the external authentication application.
  4. Verify that CA Service Catalog successfully receives and processes the authenticated users that the external authentication application passes. If necessary, adjust the parameters on both systems as needed.
  5. Optionally configure Single Sign-On for the authentication method that you are using:
Configure Single Sign-on Using Windows NTLM Authentication
When you use Windows NTLM authentication, you can perform this procedure to enable Single Sign-On for CA Service Catalog. Users log in to the Windows domain, they can access CA Service Catalog without logging in to it.
Follow these steps:
  1. Verify that you are
    not
    planning to use clustering. If you are using clustering, instead of performing this procedure, you set up NTLM authentication for each cluster.
  2. Verify that your environment meets the following requirements:
    • You are using Windows domain authentication.
    • CA Service Catalog and CA EEM are installed in the same Windows domain.
    • You have configured CA EEM to use Active Directory.
      You are running a version of HTTP
      higher
      than 1.0.
    • If you are using Windows Server, perform one of the following tasks to use single sign-on using NTLM:
      • Use HTTP instead of HTTPS.
      • Uninstall the Internet Explorer Enhanced Security Configuration Windows Component.
    • If both of the following conditions exist, you cannot use single sign-on using NTLM with HTTPS:
      • The client computer operating system is Windows Server.
      • The Internet Explorer Enhanced Security Configuration Windows Component is installed.
  3. Perform the following actions:
    1. Click
      Administration
      ,
      Configuration
      ,
      Single Sign On Authentication
      .
    2. Locate the
      Single Sign On Type
      and click the Modify icon.
    3. Select the option
      NTLM (NT LAN Manager)
      and click
      Update Configuration
      .
      The dialog closes, and you return to the Single Sign On Authentication page.
  4. Verify that all affected users can use single sign-on to access CA Service Catalog on this computer.
You have configured NTLM Authentication.
Implement Single Sign-on for One Group of Users and Manual Login for Another Group
In this use case, you want to enable single Sign-on for one group of users. For example, internal users (Group 1) You also want to force manual login for another group of users. For example, external users such as contractors, vendors, and customers (Group 2).
Follow these steps:
  1. Verify that you have two CA Service Catalog computers using the same instances of the MDB and CA EEM. This procedure calls the CA Service Catalog computers
    Server 1
    and
    Server 2
    .
  2. Verify the following requirements:
    • Group 1 users log in to Server 1
      only
      .
    • Group 2 users log in to Server 2
      only
      .
    • If necessary, notify users in each group of this requirement.
  3. On Server 2, edit the USM_HOME\webapps\usm\WEB-INF\web.xml file. Comment the following lines:
    <!-- <filter> <filter-name>NtlmAuthFilter</filter-name> <filter-class>com.ca.usm.httpfilter.NtlmAuthenticationFilter</filter-class> <init-param> <param-name>debug</param-name> <param-value>false</param-value> </init-param> </filter> --> <!-- <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>*.rpc</url-pattern> </filter-mapping> <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/wpf/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/uslm/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/assure/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/documents/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/FileStore/*</url-pattern> </filter-mapping> -->
    Commenting these lines deactivates SSO functionality from this CA Service Catalog computer.
  4. Restart CA Service Catalog.
Configure Single Sign-on Using External Authentication
When you use external authentication, you can perform this procedure to enable Single Sign-On for CA Service Catalog. Users who are set up in your external authentication system can access CA Service Catalog without logging in to it.
Follow these steps:
  1. Verify that CA Service Catalog and CA EEM are installed in the same Windows domain.
  2. Log in to CA Service Catalog running on this computer.
  3. Perform the following actions:
    1. Click
      Administration
      ,
      Configuration
      ,
      Single Sign On Authentication
      .
    2. Locate the property
      Single Sign On Type
      and click the Modify icon.
    3. Select the option
      Artifact Based Single Sign On
      and click
      Update Configuration
      .
      The dialog closes, and you return to the Single Sign On Authentication page.
  4. Verify that all affected users can use single sign-on to access CA Service Catalog on this computer.
You have configured external authentication other than Windows NTLM.