Remedy 8 Single Sign On Environment Information

Remedy 8 Single Sign On in the Stanford Environment

The Remedy 8 environment has been modified to allow for the use of Kerberos principals for login to the application server as well as trusting the WebAuth authentication done at the mid-tier level.   This document details the changes made to the system and the workflow that results from those changes.

Basic SSO Authentication Flow

The AREA plugin work that has been done allows for SSO activity in the following workflow:

1. If the request comes from a trusted IP address and a username is passed in, that username is verified as valid.  (There is an additional validation string that can be configured as well but is currently not in use.)
2. The username and password are verified against the Kerberos environment.  If successful, the username is verified as valid.  If not, the plugin method fails.
3. The username and password are passed to the standard ARS local authentication process for local verification or login failure.

Changes to the Mid-Tier (web server and Tomcat configuration)

• Install the StanfordAuth java class for the StanfordAuth (WebAuth) integration (located at /afs/ir/product/remedy/preRemedy8/SSO/midtier)
• Change the configuration to use Stanford Authentication by editing the config.properties files (configuration file is located at: /opt/bmc/ARSystem/midtier/WEB-INF/classes​)

         < arsystem.authenticator=com.remedy.arsys.session.DefaultAuthenticator
         ---
         > arsystem.authenticator=StanfordAuth

Changes to the Application Server (plugin and authentication configuration)

• Install AREAKerberos plugin (https://github.com/TabTonic/kerberosAREA)

       Configure plugin to allow for trusted IPs for midtier box(es)

       (Server restart is required as part of install process.)

• Configure server so that plugin is used first and then falls through to basic ARS authentication

Authentication Change Options

• Could enforce passing of a defined confirmation string with trusted IP user connections
• Could disable kerberos authentication to rely on just WebAuth authentication OR local authentication.  (Since the Remedy8 environment is primarily web-based, passing on the identified REMOTE_USER (WEBAUTH_USER) to the application, the need for authenticating user identities via Kerberos should no longer be required and it would be more secure not to be passing the user/password pairing over the wire.  (The Remedy7 thick client was connecting directly to the application server port.)