Security Zones
In some WebFOCUS deployments, it may be useful to support multiple authentication methods in a single environment. For example, you may wish to pre-authenticate end users with a Web Access Management system, but allow administrators to sign in with a user ID and password. In another example, you may need to pre-authenticate employees with Windows Authentication, but present customers with a Sign in page where they can type their LDAP user IDs and passwords.
The WebFOCUS mobile and portal options also have special authentication requirements. To support different authentication methods based on configurable criteria, WebFOCUS uses security zones. Each zone is defined by a configuration file located in the drive:\ibi\WebFOCUS82\config directory in Windows, or in the installdirectory/ibi/WebFOCUS82/config directory in UNIX or Linux.
The following table describes the security zones.
|
Zone |
Configuration File |
Description |
|---|---|---|
|
Default zone |
securitysettings.xml |
By default, supports form-based authentication for any request not processed by one of the other zones. Tip: Configure this zone to use the primary type of authentication
used by your user base.
|
|
Alternate zone |
securitysettings-zone.xml |
By default, supports form-based authentication for administrators who access WebFOCUS with the web browser installed on the WebFOCUS Client machine. |
|
Portlet zone |
securitysettings-portlet.xml |
Defines the authentication method for WebFOCUS Open Portal Services products, including SharePoint. |
The default zone is always enabled. Configure the primary authentication method here.
Within the default zone you can configure one pre-authentication method in addition to form-based authentication. The ability to configure two methods of authentication in this zone allows you to maintain pre-authentication credentials for users of that zone but require them to specify sign-in credentials using the default Sign in page or a customized Sign in page whenever it is necessary to override their pre-authentication credentials.
For example, if you assign Integrated Windows Authentication (IWA) to the default zone in addition to form-based authentication, you can rely on IWA pre-authentication when users sign in from their own workstation, and impose form-based authentication on them when they sign in from any other workstation.
Users who sign in from a workstation other than their own will be required to present their credentials for each sign-in attempt, overriding the default IWA credentials established for that workstation and helping to ensure that unauthorized individuals using that workstation cannot gain access based on those default credentials. Users who sign in from their own workstation can avoid the requirement to present their User ID and Password at each sign-in attempt, relying on Integrated Windows Authentication instead.
However, if you configure two alternative authentication methods for the default zone, and define a custom sign-out page for the pre-authentication method, that page will override the default sign-out page. When adopting this configuration, be aware that only a single custom sign-out page can be configured.
The alternate zone allows you to set up secondary authentication methods to be used based on user network location. By default, the alternate zone is not enabled. If enabled, it is preconfigured to process requests coming from the network address localhost, or 127.0.0.1 and ::1 (TCP/IPv4 and TCP/IPv6, respectively), which you can change. You can add or remove addresses, such as an administrator workstation address, a reverse proxy, or another machine that is more convenient for Remote Desktop connections.
Addresses in the configuration support wildcards, allowing you to specify a range of IP addresses, in addition to individual addresses. The asterisk (*) matches any number of characters, and the question mark (?) matches a single character, as shown in the following excerpt from a sample securitysettings-zone.xml file.
<property name="filterChainEnabled" value="true"/>
<property name="filterChainPatternEnabled" value="true"/>
<property name="filterChainPatterns">
<list>
<value>/**</value>
</list>
</property>
<property name="filterChainIPAddresseEnabled" value="true"/>
<property name="filterChainIPAddresses">
<list>
<value>127.0.0.1</value>
<value>172.30.240.1</value>
<value>172.30.???.??1</value>
<value>172.30.239.*</value>
</list>
</property>
When the Sign in page is presented to users in the alternate zone, they are redirected to the WebFOCUS Sign in page. The zone indicator is appended to the sign-in URL, for example:
http://localhost/ibi_apps/zone/signin
The mobile and portlet zones are preconfigured to support these optional products and do not generally need to be changed.
Specifying a Sign-out URL by Zone
You can specify a different sign-out URL for each zone. If you do not specify the sign-out URL for a zone, the URL defaults to \signout, which is the default value in the Custom logout target URL setting. However, this setting is not activated for an individual zone unless you select the Enable custom logout target URL check box.
Partially qualified URLs are incomplete URLs that imply a location under the ibi_apps folder. You can assign such a URL to this setting only if public access is enabled. If public access is disabled, partially qualified URLs will not perform as expected and you must use fully-qualified URLs that do not imply a location under the ibi_apps folder in this setting.
In a single sign on (SSO) environment, signing out of WebFOCUS does not necessarily sign the user out from the authenticated SSO product session, since authentication credentials remain with the third-party authentication provider. In this case, you may wish to specify the sign-out redirect URL to a URL that ends the SSO product session, if one exists. For example, the sign-out URL for WebSEAL may be:
http://webseal.domain.com/pkmslogout
The sign-out URL for Siteminder may be:
http://siteminder.domain.com/logout.html