Complexity of Single Sign-On for Windows Server

Questions, answers, tips and ideas on Servoy Client

Complexity of Single Sign-On for Windows Server

Postby Bernd.N » Mon Nov 27, 2017 1:50 pm

From your experience, how complex (work days) is it to enable a Smart Client Solution for Single Sign-On in a Windows Server environment?
And are there any points one has to take into account?
Bernd Korthaus
LinkedIn
Servoy 7.4.9 SC postgreSQL 9.4.11 Windows 10 Pro
User avatar
Bernd.N
 
Posts: 544
Joined: Mon Oct 21, 2013 5:57 pm
Location: Langenhorn, North Friesland, Germany

Re: Complexity of Single Sign-On for Windows Server

Postby rafig » Mon Nov 27, 2017 2:27 pm

Hi Bernd,
I did this in a simple way years ago at a client using Servoy 5.2 Smart Client
Basically, you need to still use the Servoy Web Admin page to create users and passwords & assign groups.
Create users with the same name as their Windows log in name and give them a password in there that can access Servoy.
Then also create a table in your own solution as a 'lookup table' (you may already have something like this), with the user's name, login name & password (make sure this table is secure).
Then in the 'authentication' module you get the username and then check if it is in your lookup table and then use Servoy to log them in...

Code for startup method in login module
Code: Select all
function crm_login ()
{
   var $user = security.getSystemUserName() ;
   security.authenticate('__crm_authenticator','crm_authenticate',[$user]) ;
}


Code in Authenticator Module
Code: Select all
/**
* @param {String} $userName
*/
function crm_authenticate ($userName)
{
   globals._user = $userName;
   var success = false;

   if ( utils.hasRecords ( user_to_employees ) ) // relationship based on globals._user -> system_user_name in employees table which is their Windows login name
   {
      var uid = security.getUserUID ( user_to_employees.username );
      var ds_groups = security.getUserGroups ( uid );

      var arr_groups = new Array ( );

      if ( ds_groups != null )
         for ( k = 1; k <= ds_groups.getMaxRowIndex ( ); k++ )
         {
            arr_groups.push ( ds_groups.getValue ( k, 2 ) );
         }
      success = security.login ( user_to_employees.username, uid, arr_groups );
   }
   else
   {
      message ( 'no match in employees table' + ' ' )
   }

   return success;
}


and I have a form that displays some error text about failed login in the authenticator module & set as first form for the main solution, which would only actually be seen if login failed

Hope this helps, let me know if you need more

Rafi
Servoy Certified Developer
Image
rafig
 
Posts: 704
Joined: Mon Dec 22, 2003 12:58 pm
Location: Watford, UK

Re: Complexity of Single Sign-On for Windows Server

Postby Bernd.N » Mon Nov 27, 2017 3:05 pm

Thank you!
rafig wrote:Basically, you need to still use the Servoy Web Admin page to create users and passwords & assign groups.

Is this step necessary? Because we do not use that page to create users and groups inside Servoy.

We handle login directly with help of our own users and groups tables.
We can not change that due to a large user number and because the customer has to be able to administer the users himself without access to the Servoy Web Admin page.
Bernd Korthaus
LinkedIn
Servoy 7.4.9 SC postgreSQL 9.4.11 Windows 10 Pro
User avatar
Bernd.N
 
Posts: 544
Joined: Mon Oct 21, 2013 5:57 pm
Location: Langenhorn, North Friesland, Germany

Re: Complexity of Single Sign-On for Windows Server

Postby lwjwillemsen » Mon Nov 27, 2017 3:06 pm

Lambert Willemsen
Vision Development BV
lwjwillemsen
 
Posts: 680
Joined: Sat Mar 14, 2009 5:39 pm
Location: The Netherlands

Re: Complexity of Single Sign-On for Windows Server

Postby rafig » Mon Nov 27, 2017 3:13 pm

Bernd.N wrote:Thank you!
rafig wrote:Basically, you need to still use the Servoy Web Admin page to create users and passwords & assign groups.

Is this step necessary? Because we do not use that page to create users and groups inside Servoy.

We handle login directly with help of our own users and groups tables.
We can not change that due to a large user number and because the customer has to be able to administer the users himself without access to the Servoy Web Admin page.


Try it using your own U&G tables...
The key to this is that very first line of code
Code: Select all
var $user = security.getSystemUserName() ;

which gets the Windows (or Mac) login user name
Then you can do what you want :wink:
Servoy Certified Developer
Image
rafig
 
Posts: 704
Joined: Mon Dec 22, 2003 12:58 pm
Location: Watford, UK

Re: Complexity of Single Sign-On for Windows Server

Postby Harjo » Mon Nov 27, 2017 3:36 pm

But how are you sure that users are really authenticated the right way??

I can easily tweak my system user name, so this: getSystemUserName gives the 'wrong' result.

The only way todo this right IMHO is by using the IT2BE LDAP plugin...
This way you can build a secure system with single sign on.
Harjo Kompagnie
ServoyCamp
Servoy Certified Developer
Servoy Valued Professional
SAN Developer
Harjo
 
Posts: 4321
Joined: Fri Apr 25, 2003 11:42 pm
Location: DEN HAM OV, The Netherlands

Re: Complexity of Single Sign-On for Windows Server

Postby rafig » Mon Nov 27, 2017 3:49 pm

Harjo wrote:But how are you sure that users are really authenticated the right way??

I can easily tweak my system user name, so this: getSystemUserName gives the 'wrong' result.

The only way todo this right IMHO is by using the IT2BE LDAP plugin...
This way you can build a secure system with single sign on.

Harjo is of course correct...
I was just using a quick (& dirty?) way of doing it.
Servoy Certified Developer
Image
rafig
 
Posts: 704
Joined: Mon Dec 22, 2003 12:58 pm
Location: Watford, UK

Re: Complexity of Single Sign-On for Windows Server

Postby sbutler » Tue Nov 28, 2017 7:18 am

What I do is get the system username and autofill the username and have them enter their password the first time. Use http://www.servoycomponents.com/ldapclient.html to do the authentication. Then write a user property on their machine with a combination of the username and Mac address encrypted to a string. Then on subsequent logins, on open check the property and compare it to what the encrypted value should be. If it matches, they are good and automatically log them in.
Forcing login the first time and matching the ldap user matches the machine user validates them, so its safe to write an encrypted property to use for subsequent logins. Copying it to another machine won't work (unless they also spoof the Mac address and username, which is possible but unlikely)
Scott Butler
iTech Professionals, Inc.
SAN Partner

Servoy Consulting & Development
Servoy University- Training Videos
Servoy Components- Plugins, Beans, and Web Components
Servoy Guy- Tips & Resources
ServoyForge- Open Source Components
User avatar
sbutler
Servoy Expert
 
Posts: 759
Joined: Sun Jan 08, 2006 7:15 am
Location: Cincinnati, OH

Re: Complexity of Single Sign-On for Windows Server

Postby Bernd.N » Mon Dec 04, 2017 11:52 am

Thank you all for the valuable input!
Bernd Korthaus
LinkedIn
Servoy 7.4.9 SC postgreSQL 9.4.11 Windows 10 Pro
User avatar
Bernd.N
 
Posts: 544
Joined: Mon Oct 21, 2013 5:57 pm
Location: Langenhorn, North Friesland, Germany


Return to Servoy Client

Who is online

Users browsing this forum: No registered users and 9 guests