Page 1 of 1

Complexity of Single Sign-On for Windows Server

PostPosted: Mon Nov 27, 2017 1:50 pm
by Bernd.N
From your experience, how complex (work days) is it to enable a Smart Client Solution for Single Sign-On in a Windows Server environment?
And are there any points one has to take into account?

Re: Complexity of Single Sign-On for Windows Server

PostPosted: Mon Nov 27, 2017 2:27 pm
by rafig
Hi Bernd,
I did this in a simple way years ago at a client using Servoy 5.2 Smart Client
Basically, you need to still use the Servoy Web Admin page to create users and passwords & assign groups.
Create users with the same name as their Windows log in name and give them a password in there that can access Servoy.
Then also create a table in your own solution as a 'lookup table' (you may already have something like this), with the user's name, login name & password (make sure this table is secure).
Then in the 'authentication' module you get the username and then check if it is in your lookup table and then use Servoy to log them in...

Code for startup method in login module
Code: Select all
function crm_login ()
{
   var $user = security.getSystemUserName() ;
   security.authenticate('__crm_authenticator','crm_authenticate',[$user]) ;
}


Code in Authenticator Module
Code: Select all
/**
* @param {String} $userName
*/
function crm_authenticate ($userName)
{
   globals._user = $userName;
   var success = false;

   if ( utils.hasRecords ( user_to_employees ) ) // relationship based on globals._user -> system_user_name in employees table which is their Windows login name
   {
      var uid = security.getUserUID ( user_to_employees.username );
      var ds_groups = security.getUserGroups ( uid );

      var arr_groups = new Array ( );

      if ( ds_groups != null )
         for ( k = 1; k <= ds_groups.getMaxRowIndex ( ); k++ )
         {
            arr_groups.push ( ds_groups.getValue ( k, 2 ) );
         }
      success = security.login ( user_to_employees.username, uid, arr_groups );
   }
   else
   {
      message ( 'no match in employees table' + ' ' )
   }

   return success;
}


and I have a form that displays some error text about failed login in the authenticator module & set as first form for the main solution, which would only actually be seen if login failed

Hope this helps, let me know if you need more

Rafi

Re: Complexity of Single Sign-On for Windows Server

PostPosted: Mon Nov 27, 2017 3:05 pm
by Bernd.N
Thank you!
rafig wrote:Basically, you need to still use the Servoy Web Admin page to create users and passwords & assign groups.

Is this step necessary? Because we do not use that page to create users and groups inside Servoy.

We handle login directly with help of our own users and groups tables.
We can not change that due to a large user number and because the customer has to be able to administer the users himself without access to the Servoy Web Admin page.

Re: Complexity of Single Sign-On for Windows Server

PostPosted: Mon Nov 27, 2017 3:06 pm
by lwjwillemsen

Re: Complexity of Single Sign-On for Windows Server

PostPosted: Mon Nov 27, 2017 3:13 pm
by rafig
Bernd.N wrote:Thank you!
rafig wrote:Basically, you need to still use the Servoy Web Admin page to create users and passwords & assign groups.

Is this step necessary? Because we do not use that page to create users and groups inside Servoy.

We handle login directly with help of our own users and groups tables.
We can not change that due to a large user number and because the customer has to be able to administer the users himself without access to the Servoy Web Admin page.


Try it using your own U&G tables...
The key to this is that very first line of code
Code: Select all
var $user = security.getSystemUserName() ;

which gets the Windows (or Mac) login user name
Then you can do what you want :wink:

Re: Complexity of Single Sign-On for Windows Server

PostPosted: Mon Nov 27, 2017 3:36 pm
by Harjo
But how are you sure that users are really authenticated the right way??

I can easily tweak my system user name, so this: getSystemUserName gives the 'wrong' result.

The only way todo this right IMHO is by using the IT2BE LDAP plugin...
This way you can build a secure system with single sign on.

Re: Complexity of Single Sign-On for Windows Server

PostPosted: Mon Nov 27, 2017 3:49 pm
by rafig
Harjo wrote:But how are you sure that users are really authenticated the right way??

I can easily tweak my system user name, so this: getSystemUserName gives the 'wrong' result.

The only way todo this right IMHO is by using the IT2BE LDAP plugin...
This way you can build a secure system with single sign on.

Harjo is of course correct...
I was just using a quick (& dirty?) way of doing it.

Re: Complexity of Single Sign-On for Windows Server

PostPosted: Tue Nov 28, 2017 7:18 am
by sbutler
What I do is get the system username and autofill the username and have them enter their password the first time. Use http://www.servoycomponents.com/ldapclient.html to do the authentication. Then write a user property on their machine with a combination of the username and Mac address encrypted to a string. Then on subsequent logins, on open check the property and compare it to what the encrypted value should be. If it matches, they are good and automatically log them in.
Forcing login the first time and matching the ldap user matches the machine user validates them, so its safe to write an encrypted property to use for subsequent logins. Copying it to another machine won't work (unless they also spoof the Mac address and username, which is possible but unlikely)

Re: Complexity of Single Sign-On for Windows Server

PostPosted: Mon Dec 04, 2017 11:52 am
by Bernd.N
Thank you all for the valuable input!