The flow for single sign-on is as follows:
-
A user attempts to log onto HxGN EAM from a browser.
-
HxGN EAM detects that external logons are enabled (the LGNEAM install parameter is set to ‘EXTERN’).
-
HxGN EAM retrieves the URL of the SSO server from the logonURL property in the sso configuration file and redirects the browser to this URL.The URL that should be used in returning the user to HxGN EAM is passed to the SSO server on the query string.
-
The SSO server authenticates the user by some means, typically by prompting the user for a logon id and password.
-
If the user is authenticated successfully, the SSO server will redirect the browser back to HxGN EAM. The SSO server may include any parameters it deems necessary on the query string.
-
HxGN EAM creates an instance of the authentication handler class specified in the authenticationHandler property of the sso configuration file. All query string parameters passed from the SSO server to HxGN EAM will be passed to the handler
-
The authentication handler decides whether the user should be allowed to log in based on the query string parameters. The authentication handler may choose to contact the SSO server to validate the parameters passed on the query string.
-
If the authentication handler determines that the logon should proceed, it returns the HxGN EAM userid to the system.
-
The usual HxGN EAM logon process is followed, except that the user’s password will not be checked against the HxGN EAM database.
If all logon requirements are satisfied but a record for the user does not exist in the HxGN EAM database, the following occurs:
-
If a securityHandler class is defined in the sso configuration file, the handler class will be invoked.
The purpose of the securityHandler is to map a userID/tenant/product to an HxGN EAM role name.
-
If a securityHandler class is defined and it returns a role that exists in the HxGN EAM database, a new user record will be created based on that role. In all other cases, the logon attempt will fail.