Single sign-on NTLM

Last modified by Aurelie Bertrand on 2026/01/12 16:46

Tomcat configuration
Configuring DigDash applications

This document describes how to connect the Waffle valve in DigDash Enterprise to activate Windows Integrated Security (NTLM...).

This add-on is located in the <DDE install>/add-ons/singlesignon/Waffle folder.

The current version of Waffle is 1.8.1.

This document describes each folder and file to be modified to activate this valve.

Tomcat configuration

lib folder

The path to this folder is as follows:

under Linux: /usr/share/tomcat9/lib/
under Windows: C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib

Uninstalling the previous version of Waffle :

If you are updating DigDash, it is possible that an older version of Waffle has been deployed on your Tomcat. You must first remove this version from the lib folder (path indicated above) before installing the new version.

Please refer to the Waffle Deployment Guide for your previous version of DigDash Enterprise for a list of Waffle library files to remove.

Add the Waffle JAR libraries from the <DDE install>/add-ons/singlesignon/Waffle/Tomcat9 folder to the lib folder (path shown above) :

caffeine-2.8.4.ja
guava-19.0.jar
jna-5.6.0.jar
jna-platform-5.6.0.jar
slf4j-api-1.7.21.jar
slf4j-log4j12-1.7.21.jar
log4j-1.2.15.jar
waffle-jna-2.3.0.jar
waffle-tomcat9-2.3.0.jar
waffle_digdash_extension_tomcat9.jar
log4j.properties

Context.xml file

This file is located in the following directory :

under Linux: /etc/tomcat9/
under Windows : C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf

Uncomment or add the following XML for the security valve:

To uncomment, remove the  sequences surrounding the xml code.

You need to change the shared password(sharedPasswd). This password must be identical to the one specified when configuring the Dashboard and Studio.

You can also add the addresses of authorised remote hosts(allowAddr) to allow other applications (digdash_dashboard) to connect to the DigDash Enterprise server. In the allowAddr attribute, you should add at least the IP address of your server.

It is also possible to add regular expressions for the paths whose resources are authorised to pass the valve(excludedPaths), thus switching to LDAP authentication mode. For example:"/.*"

web.xml file

This file is located in the following directory

under Linux: /etc/tomcat9/
under Windows : C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf

Uncomment or add the following XML for the security constraint:

<security-role>
  <role-name>Tout le monde</role-name>
</security-role>
<security-constraint>
  <display-name>Waffle Security Constraint</display-name>
  <web-resource-collection>
     <web-resource-name>Protected Area</web-resource-name>
     <url-pattern>digdash_dashboard*</url-pattern> 
  </web-resource-collection>
  <auth-constraint>
     <role-name>Tout le monde</role-name>
  </auth-constraint>
</security-constraint>
<security-constraint>
  <display-name>vjdbc Security Constraint</display-name>
  <web-resource-collection>
     <web-resource-name>UnProtected Area</web-resource-name>
     <url-pattern>/vjdbc/*</url-pattern>
  </web-resource-collection>
</security-constraint>

To find the role to use for the waffle (role-name):

Open the waffle logs located in the file C:/Temp/dd-waffle.log.
Find the SharedNegotiateAuthenticator.java:441 line and then where the roles are located.
Select the role to use from those available (user client choice).

The "security role" name (role-name) MUST correspond to the real role you have in your AD (localised). Example: BUILTINUsers

If you are not sure of the role name you can enable debugging information for Waffle using the log4j.properties file supplied with the jar.

Simply place it in the :

under Linux: /usr/share/tomcat9/lib/
under Windows: C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib

Configuring DigDash applications

All DigDash Enterprise applications are configured via a single file: digdash.properties

The use of this file is described here: Externalization of parameters in a properties file

In all that follows, the default application names will be used. If you have renamed certain war files you will need to modify the digdash.properties file accordingly.

Server (ddenterpriseapi.war)

Look for the definition of the authMethod parameter and change its value to NTUser or NTUserOrLDAP:

ddenterpriseapi.authMethod=NTUser

Note :

The " NTUserOrLDAP" mode allows authentication on the DigDash server via Integrated Windows Security, with an option to authenticate via DigDash LDAP in case of failure.

For example, an NT domain user will automatically be able to pass the Waffle valve with his Windows authenticator, but if he does not exist in the DigDash LDAP, he will be offered a login screen to authenticate himself with a DigDash login.

In this mode, an additional " loginForm " parameter in certain URLs ensures that the DigDash login screen is always displayed. In this way, the Windows authenticator is only used to pass the Waffle valve. A typical use case is to allow a Windows user to log in as "admin" on DigDash configuration pages.

Dashboard (digdash_dashboard.war)

Find the definition of the digdash_dashboard.sharedPasswd parameter.
Uncomment the line by deleting the # character at the beginning of the line.

Change the password value (all applications using this parameter must use the same value).

digdash_dashboard.sharedPasswd=SecretPwdToChange

The password specified must be identical to the one you put in the <DDE install>/apache-tomcat/conf/context.xml file.

Recommended settings for automatic dashboard login:

It is recommended that you configure the following settings when deploying in Integrated Windows Security (Waffle) mode.

Specify (and force) the DigDash Enterprise domain:

digdash_dashboard.DOMAIN=ddenterpriseapi
digdash_dashboard.FORCEDOMAIN=true

Specify (and force) the server URL of the DigDash Enterprise domain.
Use the localhost address if the ddenterpriseapi web application is installed on the same Tomcat as the digdash_dashboard web application.
Adapt the port if necessary:

digdash_dashboard.SERVERURL=http://localhost:8080
digdash_dashboard.FORCESERVERURL=true

Specify a logout URL so that the user can log out of DigDash Enterprise and, for example, return to an Intranet page:

digdash_dashboard.urlLogout=/adminconsole

By default, logging out of the dashboard returns to the dashboard login page. This page does not exist in the SSO context.
It is important to specify a return URL in the event of disconnection.

See the documentation Advanced system settings for more details on these settings.

Studio (studio.war)

Look for the definition of the authMethod parameter .
Uncomment the line by deleting the # character at the beginning of the line.

studio.authMethod=NTUserOrLDAP

Look for the definition of the studio.sharedPasswd parameter.
Uncomment the line by deleting the # character at the beginning of the line.
Change the password value (all applications using this same parameter must use the same value).

studio.sharedPasswd=SecretPwdToChange

The password specified must be identical to the one you put in the <DDE install>/apache-tomcat/conf/context.xml file.

Recommended settings for automatic Studio login:

It is recommended that you configure the following settings when deploying in Integrated Windows Security (Waffle) mode.

Specify (and force) the DigDash Enterprise domain:

studio.FORCEDOMAIN=true
studio.DOMAIN=ddenterpriseapi

Specify (and force) the server URL of the DigDash Enterprise domain.
Use the localhost address if the ddenterpriseapi web application is installed on the same Tomcat as the studio application.
Adapt the port if necessary:

studio.FORCESERVERURL=true
studio.SERVERURL=http://localhost:8080