| Author |
Message
|
| anveshita |
 Posted: Tue Nov 22, 2005 8:03 pm Post subject: Suggest appropriate solution for our unique situation |
 |
|
Master
Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam
|
This is a bit lengthy post and I appreciate your patience.
I am looking for some suggestions on what is the best way to handle things in our scenario.
1: In our workflow application everyone know the admin user ID and password and are allowed to access the out-of-box client. They are allowed to transfer work items do anything. We are just surving because of the good nature of the users, because they can delete all the work instances and we simply can not pin point a particular person since every one is allowed to use the common ID.
2:Our workflow applications say ( WF1 WF2 WF3) are already in production and no one is ready to change the system as it is now. I am only allowed to do minor modifications and not much.
Given the situation described in 1 and 2,My idea ( you may say utopian concept) is to have wrapper system such that, there will be a single sign on. Users enter Network user ID and password. Now since I know the ID, I would like to present only the URLs which the users are allowed to access.
Let me give an example...user NTID1 has workflow IDs UID1 and UID2 and also has access to out-of-box client as admin.
| Quote: |
NTID1 --->UID1--->URL1--->
----->UID2---->URL2
----->admin-->URL of out box client |
1. By clicking on this URL1, user will be signed on to Workflow app WF1.Since I have already validated the user, I am assuming there is a feature in Workflow that allows bypassing of validation of the users. Please let me know if it is possible to bypass Workflow validation of user ID.
2. By clicking on this URL2, user will be signed on to Workflow app WF2.
3. By clicking on this URL of out-of box cleint, user will be signed on to out-of-box client as admin.
The advantages I would have by the above system is:
1. I can log the users who are using out-of-box client as admin.Once I know the time of their logon, I can correlate the time to the actions performed.
2. I need not maintain the Workflow passwords anymore. Since I am validating against Network( say active directory),I do not have to maintian the user passwords.Here I am assuming there is a feature in Workflow that allows bypassing of validation of the users.
Questions:
1. Has anyone faced similar situation? Please share
2. I came across IBM portal server? Is it useful for me to address my situation? Set up a portal and customize the page with links specific to the user. Just an idea. Please share your thoughts.
I appreciate your suggestions. |
|
| Back to top |
|
 |
| vennela |
| Posted: Wed Nov 23, 2005 3:42 am Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
This is doable but a bit complicated.
What you need to look at is authentication exit that will serve the purpose of third party authentication.
If you have to log the anonymous userid that is using the ADMIN account on the standard client, then you will have to customize the out of the box web client so that authentication exit will be called (modify it to use logon3 or logon4 instead of the regular one). |
|
| Back to top |
|
|
| anveshita |
| Posted: Wed Nov 23, 2005 6:17 am Post subject: |
|
|
Master
Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam
|
Thanks Vennela.
All,
Has anyone used portal server? Is there a way this can be implemented using the Portal server. I mean showing the URLs etc which I have detailed in my post above |
|
| Back to top |
|
|
| anveshita |
| Posted: Mon Nov 28, 2005 9:27 am Post subject: |
|
|
Master
Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam
|
| Hmmm.. No one used Portal server for a task as mentioned above?? |
|
| Back to top |
|
|
| fidelio |
| Posted: Tue Nov 29, 2005 8:24 am Post subject: |
|
|
Apprentice
Joined: 14 Sep 2005
Posts: 45
Location: AttainBPM
|
| anveshita - I've used the Workflow Portlets before, and it sounds like that might help you. The Workflow Portlets are a Portal aware implementation of the Web Client, and one of the advantages is that they allow Portal server to handle security. Each user would sign-on to workflow once as admin and each time there after Portal Server will log them on "under the covers" as that user. However, if that is the only reason you have to use Portal Server, I would stick with the authenitcation exit. Unless it has changed significantly in the last six months, PS is a serious investment in time and resources. Unless you are planning on developing your whole UI around it, IMO PS is not worth the effort for just WF. |
|
| Back to top |
|
|
| anveshita |
| Posted: Tue Nov 29, 2005 8:22 pm Post subject: |
|
|
Master
Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam
|
Thanks fidelio.
Well.. I came to know that we had got the PS license. So I thought whgy not use it to enhance what I am thinking here. You have mentioned that
| Quote: |
| Each user would sign-on to workflow once as admin and each time there after Portal Server will log them on "under the covers" as that user. |
. I am bit confused with it. Would you mind explaining it. Does that mean all users need to know the ADMIN/Passowrd for the Workflow configuration?
The way I would like the PS to do for me is to, provide some sort of a single-sign on.
User will be asked to sign on screen .
User will enter the Windows network id and password.
PS will display the page customized for each user so that the links to various Workflow applications can be displayed.
User clicks on a link to a Workflow custom application, this opens a new browser window for the Workflow and we make use of authentication exit of Workflow to sign the user behind the scenes.
I want to add not only Workflow client links, but also some of our custom web applications.
Does my idea make sense?
Please let me know |
|
| Back to top |
|
|
| fidelio |
| Posted: Wed Nov 30, 2005 9:14 am Post subject: |
|
|
Apprentice
Joined: 14 Sep 2005
Posts: 45
Location: AttainBPM
|
PS provides single sign-on for the users, however it's sort of like how a web-browser can remember your login and password. The first time a user attempts to access the WF functionality they will see a logon prompt which PS will record and store in its "security vault". After that, any time the user accesses WF functionality the logon will be handled behind the scenes by PS.
There might be a way to set the uid and password for WF when registering a user to PS, I have not looked into that.
WF actually provides portlets that will work with PS v5 at least, so all user interaction is handled within the same browser. You might want to look at that solution, it is very smooth and has all the advantages of the WebClient - but also many of the restrictions.
If you are writing your own WF interface and aren't planning on using the portlets, you will have to write your own security interface to the PS security vault if you want PS to provide single sign-on. From what I remember of my conversations with the WF portlet developer, that is not a trivial task.
Plus, I'm not sure you can even use the single sign-on capabilities of PS in conjunction with opening the application in a seperate browser - because at that point you have left the portal framework. |
|
| Back to top |
|
|
| anveshita |
| Posted: Wed Nov 30, 2005 7:16 pm Post subject: |
|
|
Master
Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam
|
Fidelio, Thanks for the input.
We have our custom WF web clients. The only thing I am trying to do is to put a wrapper around the clients. I am trying to see if this wrapper can be built using the PS. Since PS provides the personalization and single-sign on capabilities I thought it could be used. Well, that gives me exposure tp PS 
All,
Please share your ideas |
|
| Back to top |
|
|
| anveshita |
| Posted: Thu Dec 08, 2005 7:54 pm Post subject: |
|
|
Master
Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam
|
| Please share your ideas.... |
|
| Back to top |
|
|
| supreeth |
| Posted: Fri Dec 09, 2005 4:31 am Post subject: |
|
|
Voyager
Joined: 17 May 2005
Posts: 90
Location: London
|
Hi Anveshita,
We have a working system, which most probably cater to ur needs.
Lets go step by step.
| Quote: |
| Given the situation described in 1 and 2,My idea ( you may say utopian concept) is to have wrapper system such that, there will be a single sign on. Users enter Network user ID and password. Now since I know the ID, I would like to present only the URLs which the users are allowed to access. |
You talk about presenting URLs to the users. How can the application behind the URL (i assume it to be a servlet for completion sake) be sure that you have come through the wrapper and not directly by accessing the URL in a browser. This means that there should be some sort of a handshake between the Wrapper you are talking about and the application behind the URL.
A portal comes in handy in such a situation. Since portal totally encodes the URL, which you are trying to access, its virtually impossible to directly access the URL.
Lets split across the solution into 2 orientations. First, a portal solution and the second a non-portal solution.
1) With Portal:
Using the features of portal can directly solve ur problem. All you have to do is to convert the existing servlet into a portlet application and use the portal validation of userid and password. You may also use a third party authentication tool like Tivoli Access Manager. Then, as you know can give authorization rights for the URL, based on the logged on user. In order to have SSO also, you may have to write an authentication exit, which can be easily tweaked according to your needs. The Workflow API, which you would have used like logon or logon2 should then be changed to logon3 or logon4.
2) Without Portal:
The wrapper, which you are speaking about would do the validation of the user id and password. Then, it would send a secure handshake value object. Let me call it a digitally signed object to the servlet as a parameter. The servlet, should then be tweaked to decrypt that digital signed object to atleast validate that the user has come through the wrapper. Again, an authentication exit has to be written at the workflow server end in order to avoid workflow password validations. So, design the digitally signed value object and write an encryption/decryption algorithm.
BTW, to add onto the features of an authentication exit, It is even possible to map the logged on user to a different user (valid workflow user, meaning this user should be present in the workflow database).
For eg: supreeth is not a valid workflow user but anveshita is.
I log in as supreeth. Ur wrapper does the password authentication and lets me in. The authentication exit at the workflow server end, then takes in the user name (credentials). then maps supreeth to anveshita. When the control goes back to the admin server from the authentication exit, all that admin server does is to check if anveshita is available in the workflow database. If so, it directly allows me (supreeth) to proxy anveshita.
I dont see a need to enable PS SSO, which stores the credentials in the vault. if you want, you can have it so that the user who has logged into portal once need not do it again, anytime after he accesses the portlets authorized for him. This is an extra feature which u can provide the user if u r plannin to use PS., else can be avoided. This has nothing to do with the Workflow authentication exit.
Hope this helps !!! Quite a lengthy answer to a lengthy question
Thanks and Regards,
Supreeth
_________________
Supreeth Gururaj
IBM Certified WMQ Solution Expert |
|
| Back to top |
|
|
| supreeth |
| Posted: Mon Dec 12, 2005 8:52 pm Post subject: |
|
|
Voyager
Joined: 17 May 2005
Posts: 90
Location: London
|
Did you try working out on the solutions ???
Lemme kno after you have done with it or wit any other better solution
Thanks and Regards,
Supreeth
_________________
Supreeth Gururaj
IBM Certified WMQ Solution Expert |
|
| Back to top |
|
|
| anveshita |
| Posted: Tue Dec 13, 2005 8:06 pm Post subject: |
|
|
Master
Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam
|
Thanks Supreeth,
| Quote: |
1) With Portal:
Using the features of portal can directly solve ur problem. All you have to do is to convert the existing servlet into a portlet application and use the portal validation of userid and password. You may also use a third party authentication tool like Tivoli Access Manager. Then, as you know can give authorization rights for the URL, based on the logged on user. In order to have SSO also, you may have to write an authentication exit, which can be easily tweaked according to your needs. The Workflow API, which you would have used like logon or logon2 should then be changed to logon3 or logon4.
|
I have custom Workflow clients for multiple Workflow systems say "XYZ" "ABC" I have. each custom cleint extends "main" servlet and connects to XYZ and ABC etc. Some users have access to XYZ and some has access to ABC. Some have access to both. Now I would like to use the portal server to take the user credentials and show the links to XYZ and/or ABC based on the user ID, after authenciating the user. Now if I understand correctly I need to modify the worklfow clients to use logon3/logn4 method. Now you are mentioning that
| Quote: |
| All you have to do is to convert the existing servlet into a portlet application |
, which servlet are you referring to? could you please eloborate?
Thanks |
|
| Back to top |
|
|
|
|
