Versions Compared

Old Version 12

changes.mady.by.user Christopher Gatlin

Saved on

compared with

New Version 13

changes.mady.by.user Alexander Zangerl

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added documentation for nmis-omk sso

 

Table of Contents

Introduction

...

From the command line re-enabling is also possibly: simply remove the file /usr/local/nmis8/var/nmis_system/auth_failures/<accountname>.json.

NMIS Single Sign On

...

NMIS 8.5 and newer support Single Sign On

...

for NMIS installations spanning a whole organisation (or subdomain).
In version 8.6.3G we've added support for Single Sign On between NMIS and Opmantek applications, either for a single installation or spanning an organisation.

Configuring SSO: NMIS to Opmantek Applications (8.6.3G and newer)

SSO between NMIS and OMK Applications on one system

To configure NMIS to share authentication cookies with Opmantek Applications, it is necessary that you

  • first change the configuration item auth_cookie_flavour from the default "nmis" to "omk",
  • then change the configuration item auth_web_key to the same value as the OMK application's first omkd_secrets configuration.

Both the Cookie Type (or flavour) and Authentication Secret (or key) settings can be changed using the Basic Setup dialog, or the NMIS Configuration dialog (they're in section "authentication").
To gather the Opmantek application secret, you can either open /usr/local/omk/conf/opCommon.nmis with an editor (look for omkd_secrets), or you can ask the patch_config tool for the value of that setting, like in the following  example:

Code Block
$ /usr/local/omk/bin/patch_config.exe -r /usr/local/omk/conf/opCommon.nmis /omkd/omkd_secrets[0]
CHANGE_ME_askdfal2332lkwjflk

If you choose to set up NMIS'  current authentication secret for the OMK Applications instead of the other way round, then please make sure to restart the OMK Application daemon to activate your changes.

It is quite likely that you will have to flush your browser cache once after making  these adjustments, to enforce that  no old cookies interfere with the authentication system.

SSO between NMIS and OMK Applications across a whole organisation

To provide SSO for all involved applications, you need to make the configuration adjustments listed in the previous section and all of the following changes:

  • set up the same SSO Domain (using the auth_sso_domain configuration setting) on all involved systems for both NMIS and OMK Applications,
  • ensure that the chosen SSO Domain meets the requirements of having two or more periods  (ok: ".mydom.ain" or "suborg.myorg.com", not ok: ".com"),
  • and  ensure that all involved systems are accessed solely by their fully qualified domain names (FQDN) which must belong to the SSO Domain.

In NMIS the auth_sso_domain setting can be reached using the NMIS Configuration dialog, under section "authentication".

For the OMK Applications you have to open the configuration file /usr/local/omk/conf/opCommon.nmis with an editor and search for omkd_secrets (under omkd) or auth_sso_domain (under authentication). Please note that you must restart the OMK Application daemon to  activate any changes.

Configuring SSO: NMIS to NMIS

In version 8.6.3G and newer you need to set the Cookie Type  (auth_cookie_flavour configuration item) to "nmis", if you want the have SSO only across NMIS installations.
In older versions that is the only SSO choice.

To activate this feature, you need to

  • use a fully qualified domain name (FQDN) for all your NMIS

...

  • servers, e.g. nmis1.domain.com

...

  • ,
  • and modify the  NMIS configuration of all participating NMIS installations to contain the same SSO Domain and the same shared authentication key.

Here's an example of the relevant parts of the configuration file NMIS servers participating, configure the auth_sso_domain and auth_web_key in /usr/local/nmis8/conf/Config.nmis, the default is set to ".domain.com", e.g. :

Code Block
 'auth_sso_domain' => '.domain.com',
 'auth_web_key' => 'thisismysecretkey',

Two Please note that two or more periods are required in the domain name are required, so if your company is AJAX Cleaning and your domain name is ajaxcleaning.com this configuration would be:

Code Block
 'auth_sso_domain' => '.ajaxcleaning.com',

Accessing NMIS

...

with Single Sign On

When you are accessing the NMIS server after this is configured you must then use the FQDN, in . In our development labs we use dev.opmantek.com which contains two periods, so we can configure it like sothis:

Code Block
 'auth_sso_domain' => 'dev.opmantek.com',

...