This page (revision-32) was last changed on 26-Nov-2021 10:22 by Kevin Higgs

This page was created on 26-Nov-2021 10:22 by jmyers

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note
32 26-Nov-2021 10:22 8 KB Kevin Higgs to previous
31 26-Nov-2021 10:22 7 KB Lilia Urtan to previous | to last
30 26-Nov-2021 10:22 7 KB ibarr to previous | to last
29 26-Nov-2021 10:22 7 KB ibarr to previous | to last
28 26-Nov-2021 10:22 7 KB ibarr to previous | to last
27 26-Nov-2021 10:22 7 KB ibarr to previous | to last
26 26-Nov-2021 10:22 7 KB ibarr to previous | to last
25 26-Nov-2021 10:22 6 KB kparrott to previous | to last LDAP FACTORY(System Preference) ==> LDAP FACTORY(System_Preference)
24 26-Nov-2021 10:22 5 KB kparrott to previous | to last LDAP_UNAME_LCASE(System Preference) ==> LDAP_UNAME_LCASE(System_Preference)
23 26-Nov-2021 10:22 5 KB kparrott to previous | to last
22 26-Nov-2021 10:22 5 KB kparrott to previous | to last
21 26-Nov-2021 10:22 5 KB kparrott to previous | to last

Page References

Incoming links Outgoing links

Version management

Difference between version and

At line 1 removed one line
[{TableOfContents }]
At line 4 changed 2 lines
!!Overview
This feature was created to allow LDAP compliant security services such as Microsoft Active Directory to be the password control for the Self-Service users when logging in.
Table of Contents
OVERVIEW 4
LDAP/AD AUTHENTICATION 5
FEATURES 5
SETUP 5
LOGIN FLOW 5
FORGOTTEN PASSWORDS 6
Overview
Intent
The purpose of this white paper is to inform Users how the LDAP compliant security servers such as Microsoft Active Directory will be used as the password control for Self-Service users.
Audience
This white paper is intended for those users with knowledge of the ePersonality & Self-Service systems.
Prerequisites
Users of this white paper should be familiar with the Windows Operating System user interfaces and able to successfully navigate through the standard windows objects. The ability to use a mouse effectively is also a requirement.
At line 7 removed 2 lines
!!Features
This provides integration with LDAP servers such as Microsoft Active Directory for login authentication for Self-Service interfaces, to allow user to use their network login user ID and password to login to the application. At the same time the user’s personal data is protected from being viewed by others when the user is away from their PC, or in situations where multiple employees may be sharing one PC.
At line 10 removed one line
While the majority of users are on the client’s network utilizing Active Directory, there are several departments on their own networks as well as other groups of users, such as retirees, who do not have Active Directory accounts on the client’s network. For users with Active Directory accounts, password management (issuing/resetting) needs to be performed through the client’s Help Desk. For users without Active Directory accounts, password management will be handled through the application’s existing password management functionality.
At line 12 removed one line
Users with Active Directory accounts will use their network login user ID and password for authenticating whether accessing the applications from their work PC (already logged into the client’s network) or when accessing the applications from off-site locations (from PC’s not already logged into the client’s network).
At line 14 removed one line
The Candidate Self Service will not use Active Directory validation.
At line 16 removed 7 lines
In order to use Active directory, records must exist on the following tables;
*P2K_HR_IDENTITIES
*p2K_HR_PERSONALS
*P2K_HR_EMPLOYMENTS
*P2K_HR_ASSIGNMENTS
*P2K_HR_ASSIGNMENT_DETAILS
*P2K_RE_CANDIDATES - If a candidate code is not found, the process will attempt to insert a new candidate record automatically when a user attempts to login.
At line 24 removed one line
SSL over LDAP - LDAPS is now supported: The application can now authenticate users against servers using the LDAPS protocol.
At line 26 removed 2 lines
!!Setup
There are preferences on the [IMST] that must be setup in order for this to be activated in the Self-Service system.
At line 29 removed 6 lines
IMST - Preferences:
*[SS LOGIN TYPE|SS LOGIN TYPE(System_Preference)] - Must be set to “ACCESS”
*[LDAP AUTH ON|LDAP AUTH ON(System_Preference)] - ‘Y’ or ‘N’ to enable or disable, respectively, LDAP authentication. Defaulted to ‘N’.
*[LDAP ENCRYPTION|LDAP ENCRYPTION(System_Preference)] – Hash algorithm used to encrypt passwords on LDAP server. Defaulted to ‘DIGEST-MD5’. This is currently the only supported value and doesn't need to be setup.
*[LDAP FACTORY|LDAP FACTORY(System Preference)|LDAP FACTORY(System_Preference)] - Site Preference that can now be configured by the client.
*[LDAP_UNAME_LCASE|LDAP_UNAME_LCASE(System Preference)|LDAP_UNAME_LCASE(System_Preference)] - Used to determine if user names must be converted to all lower case
At line 36 removed 2 lines
IMLN - Setup Lexion X_LDAP_DOMAINS entries:
If you only have one domain you just need to create one entry. If you have an LDAP forest or multiple forests you need to create an entry for each domain and the user selects the domain they are to be validated against. The Displayed field will be what is shown to the user and the Meaning field must contain the domain name (you cannot use an IP address). The saved value can be anything but cannot be duplicated within the Lexicon.
At line 39 removed 4 lines
As an example, at HLC, our Active Directory hostname is ‘valasca.highlinecorp.com’ so we might set up the Lexicon with:
* Saved Value: 02
* Displayed: High Line Corp.
* Meaning: valasca.highlinecorp.com
At line 44 removed one line
The accessor information (access key & password) must be established for each Identity record([IEID]). The password can be cleared out ONLY if the LDAP AUTH ON site preference is set to 'Y'.
At line 46 removed one line
To enable the feature - SSL over LDAP / LDAPS, open the IMLN screen, navigate to the 'X_LDAP_DOMAINS' record, and add the text ‘ldaps://’ to start of any server URL (Lexicon Value 'Meaning') that is configured to use LDAPS. For example, if the LDAP server at 'valasca.highlinecorp.com' is configured to use LDAPS, the Lexicon Value Meaning should be set to 'ldaps://valasca.highlinecorp.com'. If the LDAP server is not configured for SSL (i.e. just the ldap protocol), then adding a prefix to the URL is not necessary and not recommended: In this example 'valasca.highlinecorp.com' is sufficient.
At line 48 removed 9 lines
Site preference LDAP_UNAME_LCASE can be used to indicate whether an username should be converted to lowercase before sending credentials to LDAP server for authentication. If this value is not added to Site Preferences, or value is 'N', then usernames will be passed to LDAP server, exactly as they are entered by the user. Default value for this preference is 'No'.
!!LOGIN Flow
When the user selects the Self Service interface, the application will display the appropriate login page:
*The user must enter the ‘Access Key’
*The Password field will be displayed empty and will be entered by the user.
*When the user clicks “Continue” the application will verify the Access Key against the Accessor records for the Identities table (IEID) and if it exists, then it will authenticate both the user name and password against Active Directory.
**If Active Directory authentication passes, continue with logging in of user into application.
**If Active Directory authentication fails, before displaying a failed login message, authenticate using standard Personality methods. IF the password is NULL in Personality the user is ONLY allowed to log in via the Active Directory authentication.
At line 58 removed 2 lines
!!Forgotten Passwords
For the Employee/Manager Self Service interface, clients have the ability to add header/footer pages to the Forgotten Password page so as to be able to indicate the steps the user should take when the user is a member of the client’s Active Directory. This is done in the [IMMS] for message “SS_CHG_PW_EN_10”.
At line 61 removed one line
If the Access Key is entered and found to currently have a NULL password, a new password should not be generated and the user should be given a message back to indicate they are “externally authenticated” and need to contact their system administration.
At line 63 removed 3 lines
Ex: Server is set to authenticate the user against external LDAP server. User sees this screen after clicking on ‘Forgot Password?’ link.
\\ \\
[LDAP_AD_AUTHENTICATION_01.JPG]
At line 67 removed 18 lines
!!Firewall Configuration
Since the LDAP authentication is performed by the WebLogic Server, it must be able to communicate to with the LDAP server through the standard ports. There are 2 ports used for LDAP communication: port 389 for LDAP; and 636 for LDAPS using SSL/TLS encryption.\\
\\
!!LDAP Trouble Shooting
Since the LDAP authentication is handled by a limited number of Java classes, we're able to turn on tracing with the TraceModes.xml file. Adding the following lines, forcing a reload of the file from IMST and setting tracing to 'Finest' can help with trouble shooting:\\
*<traceRule className="com.highlinecorp.schema.UserContext"/>
*<traceRule className="com.highlinecorp.view.common.legacy.WebUserContext"/>
*<traceRule className="com.highlinecorp.business.am.Accessors"/>\\
\\
LDAPS presents additional difficulties with authentication. Since LDAPS connects to the remote serve via an SSL connection, it must first successfully complete the SSL handshake with the server. If the server is using a self-signed certificate, the certificate will need to be added to Java's 'cacerts' file. Without this, the SSL handshake with the server will fail every time.\\
\\
If the server certificate is a domain wide, or wild card certificate, the SSL options within the managed server will need to be altered. The default host name verification handler does not support wild card certificates. Oracle provides an alternate handler that will need to be configured as outlined in the WebLogic Server documentation: [Configuring the Wildcarded Host Name Verifier|https://docs.oracle.com/middleware/1213/wls/SECMG/hostname_verifier.htm#SECMG574]\\
\\
Java provides additional options for tracing SSL authentication issues. Adding the following options to the Server Startup Arguments:\\
* -Djavax.net.debug=ssl
* -Dssl.debug=true
* -Dweblogic.StdoutDebugEnabled=true
* -Dweblogic.security.SSL.verbose=true
At line 86 changed one line
----
LDAP/AD Authentication
This feature was created to allow LDAP compliant security services such as Microsoft Active Directory to be the password control for the Self-Service users when logging in.
Features
The clients desire to have integration with LDAP servers such as Microsoft Active Directory for login authentication for Self-Service interfaces, to allow user to use their network login user ID and password to login to the application, yet also wants to protect user’s personal data from being viewed by others when user is away from their PC, or in situations where multiple employees may be sharing one PC.
While the majority of users are on the client’s network utilizing Active Directory, there are several departments on their own networks as well as other groups of users, such as retirees, who do not have Active Directory accounts on the client’s network. For users with Active Directory accounts, password management (issuing/resetting) needs to be performed through the client’s Help Desk. For users without Active Directory accounts, password management will be handled through the application’s existing password management functionalities.
Users with Active Directory accounts will use their network login user ID and password for authenticating whether accessing the applications from their work PC (already logged into the client’s network) or when accessing the applications from off-site locations (from PC’s not already logged into the client’s network).
The Candidate Self Service will not use Active Directory validation.
At line 88 changed 2 lines
![Notes|Edit:Internal.LDAP_AD_AUTHENTICATION]
[{InsertPage page='Internal.LDAP_AD_AUTHENTICATION' default='Click to create a new notes page'}]
Setup
There are Preferences on the IMST that must be setup in order for this to be activated in the Self-Service system.
IMST- Preferences:
• SS LOGIN TYPE – must be set to “ACCESSOR”
• LDAP AUTH ON – ‘Y’ or ‘N’ to enable or disable, respectively, LDAP authentication. Defaulted to ‘N’.
• LDAP HOST – hostname for the external LDAP server. As an example, at HLC, our Active Directory hostname is ‘valasca.highlinecorp.com’. Defaulted to ‘’.
• LDAP ENCRYPTION – Hash algorithm used to encrypt passwords on LDAP server. Defaulted to ‘DIGEST-MD5’.
The Accessor information (Access Key & Password) must be established for each Identity table (IEID). The password can be cleared out ONLY if the LDAP AUTH ON site preference is set to Y.
LOGIN Flow
 When the user selects the Self-Service interface, the application will display the appropriate login page:
o The user must enter the ‘Access Key’
o The “PIN” field will be displayed empty and the PIN will be entered by the user.
o When the user clicks “Continue” the application will verify the Access Key against the Accessor records for the Identities table (IEID) and if it exists then it will authenticate both the user name and password against Active Directory.
- If Active Directory authentication passes, continue with logging in of user into application.
- If Active Directory authentication fails, before displaying a failed login message, authenticate using standard ePersonality methods. IF the password is NULL in ePersonality the User is ONLY allowed to log in via the Active Directory authentication.
Forgotten Passwords
For the Employee/Manager Self-Service interface, clients have the ability to add header/footer pages to the Forgotten Password page so as to be able to indicate the steps the user should take when the user is a member of the client’s Active Directory. This is done in the IMMS for Message “SS_CHG_PW_EN_10”.
If the Access Key is entered and found to currently have a NULL password a new password should not be generated and the user should be given a message back to indicate they are “externally authenticated” and need to contact their system administration.
Ex: Server is set to authenticate user against external LDAP server. User sees this screen after clicking on ‘Forgot Password?’ link.