|
In this section: |
In some WebFOCUS deployments, it may be useful to support multiple authentication methods in a single environment. For example, you may wish to pre-authenticate end users with a Web Access Management system, but allow administrators to sign in to WebFOCUS with a user ID and password. In another example, you may need to pre-authenticate employees with Windows Authentication, but present customers with a sign-in page where they can type their LDAP user IDs and passwords.
The WebFOCUS mobile and portal options also have special authentication requirements. To support different authentication methods based on configurable criteria, WebFOCUS uses security zones. Each zone is defined by a configuration file located in the drive:/ibi/WebFOCUS82/config directory.
The following table describes the security zones.
|
Zone |
Configuration File |
Description |
|---|---|---|
|
Default zone |
securitysettings.xml |
By default, supports form-based authentication for any request not processed by one of the other zones. Tip: Configure this zone to use the primary type of authentication used by your user base. |
|
Alternate zone |
securitysettings-zone.xml |
By default, supports form-based authentication for administrators who access WebFOCUS with the web browser installed on the WebFOCUS client machine. |
|
Mobile zone |
securitysettings-mobile.xml |
Defines the authentication method for WebFOCUS mobile products, including Mobile Favorites. |
|
Portlet zone |
securitysettings-portlet.xml |
Defines the authentication method for WebFOCUS Open Portal Services products, including SharePoint. |
The default zone is always enabled. Configure the primary authentication method here.
Within the default zone you can configure one pre-authentication method in addition to form-based authentication. The ability to configure two methods of authentication in this zone allows you to maintain preauthentication credentials for users of that zone but require them to specify sign in credentials using the default sign in page or a customized sign in page whenever it is necessary to override their pre-authentication credentials.
For example, if you assign Integrated Windows Authentication (IWA) to the default zone in addition to form-based authentication, you can rely on IWA pre-authentication when users sign in to WebFOCUS from their own workstation, and impose form-based authentication on them when they sign in from any other workstation.
Users who sign in to WebFOCUS from a workstation other than their own will be required to present their credentials for each sign in attempt, overriding the default IWA credentials established for that workstation and helping to ensure that unauthorized individuals using that workstation cannot gain access to WebFOCUS based on those default credentials. Users who sign in to WebFOCUS from their own workstation can avoid the requirement to present their User ID and Password at each sign in attempt, relying on Integrated Windows Authentication instead.
However, if you configure two alternative authentication methods for the default zone, and define a custom sign out page for the pre-authentication method, that page will override the default sign out page. When adopting this configuration, be aware that only a single custom sign out page can be configured.
The alternate zone allows you to set up secondary authentication methods to be used based on user network location. By default, the alternate zone is not enabled. If enabled, it is preconfigured to process requests coming from the network address localhost, or 127.0.0.1 and ::1 (TCP/IPv4 and TCP/IPv6, respectively), which you can change. You can add or remove addresses, such as an administrator workstation address, a reverse proxy, or another machine that is more convenient for Remote Desktop connections.
WebFOCUS supports wildcards in the configured addresses, allowing you to specify a range of IP addresses, in addition to individual addresses. The asterisk (*) matches any number of characters, and the question mark (?) matches a single character, as shown in the following excerpt from a sample securitysettings-zone.xml file.
<property name="filterChainEnabled" value="true"/>
<property name="filterChainPatternEnabled" value="true"/>
<property name="filterChainPatterns">
<list>
<value>/**</value>
</list>
</property>
<property name="filterChainIPAddresseEnabled" value="true"/>
<property name="filterChainIPAddresses">
<list>
<value>127.0.0.1</value>
<value>172.30.240.1</value>
<value>172.30.???.??1</value>
<value>172.30.239.*</value>
</list>
</property>Tip: The WebFOCUS audit log file records the TCP/IP address associated with each user session. This information can be useful in troubleshooting configuration issues with a security zone.
When WebFOCUS presents the sign-in page to users in the alternate zone, the user is redirected to the WebFOCUS sign-in page. The zone indicator is appended to the sign-in URL, for example:
http://localhost/ibi_apps/zone/signin
The WebFOCUS mobile and portlet zones are preconfigured to support these optional WebFOCUS products and do not generally need to be changed.
You can specify a different sign-out URL for each zone. If you do not specify the sign-out URL for a zone, the URL defaults to \signout, which is the default value in the setting, Custom logout target URL. However, this setting is not activated for an individual zone unless you select the Enable custom logout target URL check box.
Partially-qualified URLs are incomplete URLs that imply a location under the ibi_apps folder. You can assign such a URL to this setting only if public access is enabled. If public access is disabled, partially-qualified URLs will not perform as expected and you must use fully-qualified URLs that do not imply a location under the ibi_apps folder in this setting.
In a single sign on (SSO) environment, signing out of WebFOCUS does not necessarily sign the user out, since authentication credentials remain with the third-party authentication provider. In this case, you may wish to specify the sign-out redirect URL to a URL that ends the SSO product session, if one exists. For example, the sign-out URL for WebSEAL may be:
http://webseal.domain.com/pkmslogout
The sign-out URL for Siteminder may be:
http://siteminder.domain.com/logout.html
|
|
WebFOCUS |