Single sign-on NTLM

If you are updating DigDash, it is possible that an older version of Waffle has been deployed on your Tomcat. You must first remove this version from the **lib **folder (path indicated above)** before **installing the new version.

27

28

Please refer to the Waffle Deployment Guide for your previous version of DigDash Enterprise for a list of Waffle library files to remove.

29

30

Add the Waffle JAR libraries from the **<DDE install>/add-ons/singlesignon/Waffle/Tomcat9** folder to the **lib **folder (path shown above) :

* caffeine-2.8.4.ja

* guava-19.0.jar

* jna-5.6.0.jar

* jna-platform-5.6.0.jar

36

* slf4j-api-1.7.21.jar

37

* slf4j-log4j12-1.7.21.jar

38

* log4j-1.2.15.jar

39

* waffle-jna-2.3.0.jar

40

* waffle-tomcat9-2.3.0.jar

41

* waffle_digdash_extension_tomcat9.jar

42

* log4j.properties

43

44

== Context.xml file ==

45

46

This file is located in the following directory :

47

48

* under Linux: **/etc/tomcat9/**

49

* under Windows : **C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf**

50

51

Uncomment or add the following XML for the security valve:

52

53

54

<Valve className="waffle.apache.SharedNegotiateAuthenticator"

55

principalFormat="fqn"

56

roleFormat="both"

57

sharedPasswd="SecretPwdToChange"

58

allowAddr="localhost,127.0.0.*">

</Valve>

(% class="box" %)

(((

To uncomment, remove the **<!~-~-** and **~-~->** sequences surrounding the xml code.

65

)))

66

67

You need to change the shared password**(sharedPasswd**). This password must be identical to the one specified when configuring the Dashboard and Studio.

68

69

You can also add the addresses of authorised remote hosts**(allowAddr**) to allow other applications (digdash_dashboard) to connect to the DigDash Enterprise server. In the **allowAddr** attribute, you should add at least the IP address of your server.

70

71

It is also possible to add regular expressions for the paths whose resources are authorised to pass the valve//**(excludedPaths**)//, thus switching to LDAP authentication mode. For example:"/.*"

72

73

(% id="Hapache-tomcat2Fconf2Fweb.xml" %)

74

== web.xml file ==

75

76

This file is located in the following directory

77

78

* under Linux: **/etc/tomcat9/**

79

* under Windows : **C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf**

80

81

Uncomment or add the following XML for the security constraint:

<security-role>

<role-name>Tout le monde</role-name>

86

</security-role>

87

<security-constraint>

88

<display-name>Waffle Security Constraint</display-name>

89

<web-resource-collection>

90

<web-resource-name>Protected Area</web-resource-name>

91

<url-pattern>digdash_dashboard*</url-pattern> <!-- Mettre ici l'url de la webapp sur laquelle

92

va s'appliquer la waffle ou utiliser /* pour tout limiter -->

93

</web-resource-collection>

94

<auth-constraint>

95

<role-name>Tout le monde</role-name>

96

</auth-constraint>

97

</security-constraint>

98

<security-constraint>

99

<display-name>vjdbc Security Constraint</display-name>

100

<web-resource-collection>

101

<web-resource-name>UnProtected Area</web-resource-name>

102

<url-pattern>/vjdbc/*</url-pattern>

103

</web-resource-collection>

104

</security-constraint>

To find the role to use for the waffle (role-name):

109

110

* Open the waffle logs located in the file C:/Temp/dd-waffle.log.

111

* Find the SharedNegotiateAuthenticator.java:441 line and then where the roles are located.

112

* Select the role to use from those available (user client choice).

113

114

(% class="box warningmessage" %)

115

(((

116

The "security role" name (role-name) MUST correspond to the real role you have in your AD (localised). Example: BUILTINUsers

117

)))

118

119

If you are not sure of the role name you can enable debugging information for Waffle using the log4j.properties file supplied with the jar.

120

121

Simply place it in the :

122

123

* under Linux: **/usr/share/tomcat9/lib/**

124

* under Windows: **C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib**

125

126

= Configuring DigDash applications =

127

128

(% class="wikigeneratedid" id="Hdigdash.properties" %)

129

All DigDash Enterprise applications are configured via a single file: **digdash.properties**

130

131

The use of this file is described here: [[Externalization of parameters in a //properties// file>>doc:Digdash.deployment.configuration.advanced_system_guide.WebHome||anchor="externalisation"]]

132

133

In all that follows, the default application names will be used. If you have renamed certain war files you will need to modify the **digdash.properties** file accordingly.

134

135

== Server (ddenterpriseapi.war) ==

136

137

Look for the definition of the **authMethod** parameter and change its value to **NTUser** or **NTUserOrLDAP**:

138

139

140

ddenterpriseapi.authMethod=NTUser

//Note ~://

The "** NTUserOrLDAP" **mode allows authentication on the DigDash server via Integrated Windows Security, with an option to authenticate via DigDash LDAP in case of failure.

146

147

For example, an NT domain user will automatically be able to pass the Waffle valve with his Windows authenticator, but if he does not exist in the DigDash LDAP, he will be offered a login screen to authenticate himself with a DigDash login.

148

149

In this mode, an additional "** loginForm **" parameter in certain URLs ensures that the DigDash login screen is always displayed. In this way, the Windows authenticator is only used to pass the Waffle valve. A typical use case is to allow a Windows user to log in as "admin" on DigDash configuration pages.

150

151

== Dashboard (digdash_dashboard.war) ==

152

153

Find the definition of the **digdash_dashboard.sharedPasswd** parameter.

154

Uncomment the line by deleting the **#** character at the beginning of the line.

155

156

Change the password value (all applications using this parameter must use the same value).

157

158

159

digdash_dashboard.sharedPasswd=SecretPwdToChange

160

161

162

(% class="box warningmessage" %)

163

(((

164

The password specified must be identical to the one you put in the **<DDE install>/apache-tomcat/conf/context.xml** file.

)))

(% class="wikigeneratedid" id="HParamE8tresrecommandE9spourleloginautomatiquedutableaudebord" %)

169

__Recommended settings for automatic dashboard login__:

170

171

It is recommended that you configure the following settings when deploying in Integrated Windows Security (Waffle) mode.

172

173

Specify (and force) the DigDash Enterprise domain:

174

175

176

digdash_dashboard.DOMAIN=ddenterpriseapi

177

digdash_dashboard.FORCEDOMAIN=true

Specify (and force) the server URL of the DigDash Enterprise domain.

182

Use the //localhost// address if the ddenterpriseapi web application is installed on the same Tomcat as the digdash_dashboard web application.

183

Adapt the port if necessary:

184

185

186

digdash_dashboard.SERVERURL=http://localhost:8080

187

digdash_dashboard.FORCESERVERURL=true

188

189

190

Specify a logout URL so that the user can log out of DigDash Enterprise and, for example, return to an Intranet page:

191

192

193

digdash_dashboard.urlLogout=/adminconsole

(% class="box warningmessage" %)

198

(((

199

By default, logging out of the dashboard returns to the dashboard login page. This page does not exist in the SSO context.

200

It is important to specify a return URL in the event of disconnection.

201

)))

202

203

See the documentation [[Advanced system settings>>doc:Digdash.deployment.configuration.advanced_system_guide.WebHome]] for more details on these settings.

204

205

== Studio (studio.war) ==

(% id="cke_bm_389S" style="display:none" %)Look for (%%)the definition of the **authMethod** parameter **.**

210

Uncomment the line by deleting the # character at the beginning of the line.

211

212

213

studio.authMethod=NTUserOrLDAP

214

215

216

Look for the definition of the **studio.sharedPasswd** parameter.

217

Uncomment the line by deleting the # character at the beginning of the line.

218

Change the password value (all applications using this same parameter must use the same value).

219

220

221

studio.sharedPasswd=SecretPwdToChange

222

223

224

(% class="box warningmessage" %)

225

(((

226

The password specified must be identical to the one you put in the **<DDE install>/apache-tomcat/conf/context.xml** file.

)))

__Recommended settings for automatic Studio login__:

231

232

It is recommended that you configure the following settings when deploying in Integrated Windows Security (Waffle) mode.

233

234

Specify (and force) the DigDash Enterprise domain:

235

236

237

studio.FORCEDOMAIN=true

238

studio.DOMAIN=ddenterpriseapi

239

240

241

Specify (and force) the server URL of the DigDash Enterprise domain.

242

Use the **//localhost//** address if the **ddenterpriseapi** web application is installed on the same Tomcat as the **studio** application.

243

Adapt the port if necessary:

244

245

246

studio.FORCESERVERURL=true

247

studio.SERVERURL=http://localhost:8080

248

249

250

Specify a logout URL so that the user can log out of DigDash Enterprise and, for example, return to an Intranet page:

251

252

253

studio.urlLogout=/adminconsole

254

255

256

By default, logging out of the Studio returns to the Studio login page. This page does not exist in the SSO context.

257

It is important to specify a return URL in the event of disconnection.

author	version	line-number	content
		1	{{ddtoc/}}
		2
		3	----
		4
		5	This document describes how to connect the Waffle valve in DigDash Enterprise to activate Windows Integrated Security (NTLM...).
		6
		7	This add-on is located in the <DDE install>/add-ons/singlesignon/Waffle folder.
		8
		9	The current version of Waffle is 1.8.1.
		10
		11	This document describes each folder and file to be modified to activate this valve.
		12
		13	= Tomcat configuration =
		14
		15	(((
		16	== lib folder ==
		17
		18	The path to this folder is as follows:
		19
		20	* under Linux: /usr/share/tomcat9/lib/
		21	* under Windows: C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib
		22	)))
		23
		24	__Uninstalling the previous version of Waffle :__
		25
		26	If you are updating DigDash, it is possible that an older version of Waffle has been deployed on your Tomcat. You must first remove this version from the lib folder (path indicated above) before installing the new version.
		27
		28	Please refer to the Waffle Deployment Guide for your previous version of DigDash Enterprise for a list of Waffle library files to remove.
		29
		30	Add the Waffle JAR libraries from the <DDE install>/add-ons/singlesignon/Waffle/Tomcat9 folder to the lib folder (path shown above) :
		31
		32	* caffeine-2.8.4.ja
		33	* guava-19.0.jar
		34	* jna-5.6.0.jar
		35	* jna-platform-5.6.0.jar
		36	* slf4j-api-1.7.21.jar
		37	* slf4j-log4j12-1.7.21.jar
		38	* log4j-1.2.15.jar
		39	* waffle-jna-2.3.0.jar
		40	* waffle-tomcat9-2.3.0.jar
		41	* waffle_digdash_extension_tomcat9.jar
		42	* log4j.properties
		43
		44	== Context.xml file ==
		45
		46	This file is located in the following directory :
		47
		48	* under Linux: /etc/tomcat9/
		49	* under Windows : C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf
		50
		51	Uncomment or add the following XML for the security valve:
		52
		53	{{code language="XML" cssClass="notranslate"}}
		54	<Valve className="waffle.apache.SharedNegotiateAuthenticator"
		55	principalFormat="fqn"
		56	roleFormat="both"
		57	sharedPasswd="SecretPwdToChange"
		58	allowAddr="localhost,127.0.0.*">
		59	</Valve>
		60	{{/code}}
		61
		62	(% class="box" %)
		63	(((
		64	To uncomment, remove the <!~-~- and ~-~-> sequences surrounding the xml code.
		65	)))
		66
		67	You need to change the shared password(sharedPasswd). This password must be identical to the one specified when configuring the Dashboard and Studio.
		68
		69	You can also add the addresses of authorised remote hosts(allowAddr) to allow other applications (digdash_dashboard) to connect to the DigDash Enterprise server. In the allowAddr attribute, you should add at least the IP address of your server.
		70
		71	It is also possible to add regular expressions for the paths whose resources are authorised to pass the valve//(excludedPaths)//, thus switching to LDAP authentication mode. For example:"/.*"
		72
		73	(% id="Hapache-tomcat2Fconf2Fweb.xml" %)
		74	== web.xml file ==
		75
		76	This file is located in the following directory
		77
		78	* under Linux: /etc/tomcat9/
		79	* under Windows : C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf
		80
		81	Uncomment or add the following XML for the security constraint:
		82
		83	{{code cssClass="notranslate" language="XML"}}
		84	<security-role>
		85	<role-name>Tout le monde</role-name><!-- Voir ci-dessous pour plus d'informations -->
		86	</security-role>
		87	<security-constraint>
		88	<display-name>Waffle Security Constraint</display-name>
		89	<web-resource-collection>
		90	<web-resource-name>Protected Area</web-resource-name>
		91	<url-pattern>digdash_dashboard*</url-pattern> <!-- Mettre ici l'url de la webapp sur laquelle
		92	va s'appliquer la waffle ou utiliser /* pour tout limiter -->
		93	</web-resource-collection>
		94	<auth-constraint>
		95	<role-name>Tout le monde</role-name>
		96	</auth-constraint>
		97	</security-constraint>
		98	<security-constraint>
		99	<display-name>vjdbc Security Constraint</display-name>
		100	<web-resource-collection>
		101	<web-resource-name>UnProtected Area</web-resource-name>
		102	<url-pattern>/vjdbc/*</url-pattern>
		103	</web-resource-collection>
		104	</security-constraint>
		105
		106	{{/code}}
		107
		108	To find the role to use for the waffle (role-name):
		109
		110	* Open the waffle logs located in the file C:/Temp/dd-waffle.log.
		111	* Find the SharedNegotiateAuthenticator.java:441 line and then where the roles are located.
		112	* Select the role to use from those available (user client choice).
		113
		114	(% class="box warningmessage" %)
		115	(((
		116	The "security role" name (role-name) MUST correspond to the real role you have in your AD (localised). Example: BUILTINUsers
		117	)))
		118
		119	If you are not sure of the role name you can enable debugging information for Waffle using the log4j.properties file supplied with the jar.
		120
		121	Simply place it in the :
		122
		123	* under Linux: /usr/share/tomcat9/lib/
		124	* under Windows: C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib
		125
		126	= Configuring DigDash applications =
		127
		128	(% class="wikigeneratedid" id="Hdigdash.properties" %)
		129	All DigDash Enterprise applications are configured via a single file: digdash.properties
		130
		131	The use of this file is described here: [[Externalization of parameters in a //properties// file>>doc:Digdash.deployment.configuration.advanced_system_guide.WebHome\|\|anchor="externalisation"]]
		132
		133	In all that follows, the default application names will be used. If you have renamed certain war files you will need to modify the digdash.properties file accordingly.
		134
		135	== Server (ddenterpriseapi.war) ==
		136
		137	Look for the definition of the authMethod parameter and change its value to NTUser or NTUserOrLDAP:
		138
		139	{{code language="properties" cssClass="notranslate"}}
		140	ddenterpriseapi.authMethod=NTUser
		141	{{/code}}
		142
		143	//Note ~://
		144
		145	The " NTUserOrLDAP" mode allows authentication on the DigDash server via Integrated Windows Security, with an option to authenticate via DigDash LDAP in case of failure.
		146
		147	For example, an NT domain user will automatically be able to pass the Waffle valve with his Windows authenticator, but if he does not exist in the DigDash LDAP, he will be offered a login screen to authenticate himself with a DigDash login.
		148
		149	In this mode, an additional " loginForm " parameter in certain URLs ensures that the DigDash login screen is always displayed. In this way, the Windows authenticator is only used to pass the Waffle valve. A typical use case is to allow a Windows user to log in as "admin" on DigDash configuration pages.
		150
		151	== Dashboard (digdash_dashboard.war) ==
		152
		153	Find the definition of the digdash_dashboard.sharedPasswd parameter.
		154	Uncomment the line by deleting the # character at the beginning of the line.
		155
		156	Change the password value (all applications using this parameter must use the same value).
		157
		158	{{code language="properties" cssClass="notranslate"}}
		159	digdash_dashboard.sharedPasswd=SecretPwdToChange
		160	{{/code}}
		161
		162	(% class="box warningmessage" %)
		163	(((
		164	The password specified must be identical to the one you put in the <DDE install>/apache-tomcat/conf/context.xml file.
		165	)))
		166
		167
		168	(% class="wikigeneratedid" id="HParamE8tresrecommandE9spourleloginautomatiquedutableaudebord" %)
		169	__Recommended settings for automatic dashboard login__:
		170
		171	It is recommended that you configure the following settings when deploying in Integrated Windows Security (Waffle) mode.
		172
		173	Specify (and force) the DigDash Enterprise domain:
		174
		175	{{code language="properties" cssClass="notranslate"}}
		176	digdash_dashboard.DOMAIN=ddenterpriseapi
		177	digdash_dashboard.FORCEDOMAIN=true
		178
		179	{{/code}}
		180
		181	Specify (and force) the server URL of the DigDash Enterprise domain.
		182	Use the //localhost// address if the ddenterpriseapi web application is installed on the same Tomcat as the digdash_dashboard web application.
		183	Adapt the port if necessary:
		184
		185	{{code language="properties" cssClass="notranslate"}}
		186	digdash_dashboard.SERVERURL=http://localhost:8080
		187	digdash_dashboard.FORCESERVERURL=true
		188	{{/code}}
		189
		190	Specify a logout URL so that the user can log out of DigDash Enterprise and, for example, return to an Intranet page:
		191
		192	{{code language="properties" cssClass="notranslate"}}
		193	digdash_dashboard.urlLogout=/adminconsole
		194	{{/code}}
		195
		196
		197	(% class="box warningmessage" %)
		198	(((
		199	By default, logging out of the dashboard returns to the dashboard login page. This page does not exist in the SSO context.
		200	It is important to specify a return URL in the event of disconnection.
		201	)))
		202
		203	See the documentation [[Advanced system settings>>doc:Digdash.deployment.configuration.advanced_system_guide.WebHome]] for more details on these settings.
		204
		205	== Studio (studio.war) ==
		206
		207
		208
		209	(% id="cke_bm_389S" style="display:none" %)Look for (%%)the definition of the authMethod parameter .
		210	Uncomment the line by deleting the # character at the beginning of the line.
		211
		212	{{code language="properties" cssClass="notranslate"}}
		213	studio.authMethod=NTUserOrLDAP
		214	{{/code}}
		215
		216	Look for the definition of the studio.sharedPasswd parameter.
		217	Uncomment the line by deleting the # character at the beginning of the line.
		218	Change the password value (all applications using this same parameter must use the same value).
		219
		220	{{code language="properties" cssClass="notranslate"}}
		221	studio.sharedPasswd=SecretPwdToChange
		222	{{/code}}
		223
		224	(% class="box warningmessage" %)
		225	(((
		226	The password specified must be identical to the one you put in the <DDE install>/apache-tomcat/conf/context.xml file.
		227	)))
		228
		229
		230	__Recommended settings for automatic Studio login__:
		231
		232	It is recommended that you configure the following settings when deploying in Integrated Windows Security (Waffle) mode.
		233
		234	Specify (and force) the DigDash Enterprise domain:
		235
		236	{{code language="properties" cssClass="notranslate"}}
		237	studio.FORCEDOMAIN=true
		238	studio.DOMAIN=ddenterpriseapi
		239	{{/code}}
		240
		241	Specify (and force) the server URL of the DigDash Enterprise domain.
		242	Use the //localhost// address if the ddenterpriseapi web application is installed on the same Tomcat as the studio application.
		243	Adapt the port if necessary:
		244
		245	{{code language="properties" cssClass="notranslate"}}
		246	studio.FORCESERVERURL=true
		247	studio.SERVERURL=http://localhost:8080
		248	{{/code}}
		249
		250	Specify a logout URL so that the user can log out of DigDash Enterprise and, for example, return to an Intranet page:
		251
		252	{{code language="properties" cssClass="notranslate"}}
		253	studio.urlLogout=/adminconsole
		254	{{/code}}
		255
		256	By default, logging out of the Studio returns to the Studio login page. This page does not exist in the SSO context.
		257	It is important to specify a return URL in the event of disconnection.

Wiki source code of Single sign-on NTLM