EngageOne® Compose Single Sign-on configuration

  • 1.  EngageOne® Compose Single Sign-on configuration

    Pitney Bowes
    Posted 20 days ago
      |   view attached
    It is possible to work with EngageOne® Compose using Windows domain account. In this case a user doesn't have to login to EngageOne® Compose, but credentials provided during Windows login process are used instead. To make it possible the whole environment should be properly configured. Below you can find a short guide describing how to do this. The more detailed instructions can be found in the attached recording.

    Steps to configure SSO for EngageOne® Compose:

    1. Configure DNS on a domain controller.
      1. The Domain controller has to be able to resolve all addresses used in EngageOne® Compose configuration such as DB, Active Drive, mail server etc. and to itself if it is configured in any external domain (i.e. pbeo.net).
      2. Add both forward and reverse lookup records for EngageOne® Compose server with the security bundle or the load balancer if it is used, to DNS configuration in the domain controller.
    2. Create an account in Active Directory for Kerberos principal.
      1. In „Other password options" check „Password never expires"
      2. In „Encryption options" choose „Other encryption options" then check „This account supports Kerberos AES 256 bit encryption"
    3. Create keytab file.
      1. Use the following command:
        ktpass.exe -out ppSSOWin004.keytab -pass +rndPass -maxPass 256 -mapuser ppSSOWin004 -princ HTTP/ppSSOWin004-eoApp.pbeo.net@EO.REMOTE -ptype KRB5_NT_PRINCIPAL -kvno 0 -crypto AES256-SHA1
        out - output path for kerberos file
        mapuser – user we have created in point 2
        princ – the Kerberos principal name, starts with „HTTP/" followed by EngageOne® Compose server or load balancer name, then „@" and domain name uppercase
      2. Copy the generated keytab file to EOS server or the shared path.
    4. Enable the user created in point 2.
    5. Configure DNS on EngageOne® Compose server.
      DNS on EngageOne® Compose server should be able to resolve the reverse lookup to itself, there should be the proper PTR record in DNS.
    6. Install Java Cryptography Extension (only neccessary when EngageOne® Compose is installed on Linux).
      1. Download JCE from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
      2. Unpack the downloaded file and then copy it to $JAVA_HOME/lib/security
    7. Configure EngageOne® Compose (deploy.properties).
      1. Set security.sso.kerberos.principal.name property to value provided as principal in ktpass (case sensitive!) i.e.:
      2. Set security.sso.kerberos.keytab.path property to path to keytab file generated by ktpass i.e.:
      3. Set security.sso.kerberos.server property to value of „Targeting domain controller" from ktpass output i.e.:
      4. Reconfigure EngageOne Server.
    8. Configure Internet Explorer on the workstation
      In Internet Options:
      - check if „Enable Integrated Windows Authentication" in „Advanced" tab is selected
      - check if „Automatic logon only in Intranet zone" in „Security" tab -> „Custom level" is selected
      - add URL to EngageOne® Compose to „Local Intranet" zone („Sites" button)
      IE configuration should be done for each user who uses the workstation.

    Piotr Pasko