Skip to main content

Clarification on single sign on functionality

Permanently deleted user
Before I go digging too far into this, I'd like to get some feedback on exactly what I should be expecting from Single Sign On (SSO).

 

I've followed all the steps in the admin guide and the Knowledge base article that is referenced in the admin guide but I'm not sure that things are working as they should.

 

With all SSO steps completed, and with sign in/out disabled on the permissions settings - sign in tab, the site will load but not as the signed in user.  I confirm this by the fact that there are layer permissions for the logged in user that are not being honoured and also by inspecting the hidden login view in the header which says the current user is Guest.

 

My expectation is that with SSO enabled, the browser would automatically load the site using the current users credentials without having to either send them to a login page first or enabling the sign in /out options on the permissions settings in Manager.

 

Is this the way it should work (auto load as current user) or does SSO simply mean that if you go to the login page or click 'sign in' that it will reload using your credentials?

 

On a related note, once you are signed in, if you run a workflow that accesses an AD secured AGS service, should the current users credentials be passed automatically with the request?  From my testing so far it seems to either not send any credentials or it sends the credentials of the appPool - both of which cause a 401 error from AGS.
0

Comments

3 comments

Date Votes
  • Permanently deleted user
    Hello Peter,

     

    SSO simply indicates that when you would see a Windows password prompt, if you are already signed in as a user that would be able to access the site after logging into that prompt, you do not need to enter your credentials.  It doesn't automatically log you on.  

     

    From your post, I'm guessing that your site offers content to both authenticated and unauthenticated users?  If that is the case, I think you can still get the login working the way you want.  You will need to use a different URL for internal and external users however.

     

    On my test site, I have set the following permissions:

     

    Anonymous access - Guest: Allowed full access to the site

     

    Windows Intergraded - All users: Allowed full access to the site

     

    Sign in/Sign out - Disabled

     

    Under this configuration, when I launch the viewer, I do not authenticate, as anonymous access is allowed.  Even if some layers are denied to guests, I am still able to authenticate (As the guest user), so it does not try to sign me in with the Windows credentials, however, if I instead go to this URL:

     

    http://dbriggs-ess13/Geocortex/Essentials/4.5.1/REST/security/signin?token_type=fragment&app=http%3a%2f%2fdbriggs-ess13%2fHtml5Viewer261451%2fIndex.html%3fviewer%3dMyNewSite.MyNewViewer&idp_name=AD+AUTHORITY

     

    I will be signed in using my Windows credentials.  Naturally, you will need to change that URL to match your site configuration.

     

    Regarding your other question, I think that workflows access URLs and map services with whatever you have configured the credentials to be.  By default, I think this is the connected user, but I'm afraid I'm not 100% sure about that.  Perhaps one of the other users or Latitude support people will know.

     

    I hope this helps!

     

    Thanks,

     

    ?Danny
    0
  • Permanently deleted user
    Hi Danny,

     

    Does that URL configuration still work with the latest versions (GE4.6/HTML5 2.7)? When I use the links I have been using before, modeled after the one you gave above, I now get the error "The current security policy for Geocortex Essentials does not allow any suitable sign in methods for this request." Do I need to change my links with the new automated short URLs for this to work?

     

    Thanks,

     

    Melissa
    0
  • Permanently deleted user
    Hi Melissa,

     

    Yes, those links should still work.  Based on the error you are seeing, it sounds like the security porvider may be disabled.  Check your Security and Data tab in Manager, and make sure that your security providers are enabled.  

     

    If they are, you may want to try loading the site from manager, and logging in using the landing page to make sure that still works.  If it doesn't that will tell you that the issue is with the security provider, and not the URL.

     

    I hope that helps!  Please let me know if you run into any issues.  

     

    Thanks,

     

    Danny
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post