SSO on LSF9 - LawsonGuru.com - LawsonGuru.com Forums

Name	Points
Greg Moeller	4184
David Williams	3349
JonA	3291
Kat V	2984
Woozy	1973
Jimmy Chiu	1883
Kwane McNeal	1437
Ragu Raghavan	1372
Roger French	1315
mark.cook	1244

Joe O'Toole

Veteran Member

Posts: 314

3/11/2009 3:01 PM

We have been on LSF9 for a while now and are looking into moving our users from LID to Portal. We are a Windows shop and have LSF9 bound to AD. All of our employees including our Lawson application users use ESS/MSS as well. Some access ESS from workstations logged into Windows with generic account and some access ESS from their individual windows accounts. We also expire user Windows account passwords on a regular basis. Based on this, is it possible and or realisitc to try to configure Lawson to use true SSO so application users logged into the windows domain with their personal accounts do not need to re-enter their credentials for Lawson?

Jimmy Chiu

Veteran Member

Posts: 641

3/11/2009 5:24 PM

It's possible to do that but not recommended by lawson because LATM will need to be turned off. You can check article 84326 from lawson support for detail steps.

Roger French

Veteran Member

Posts: 549

3/11/2009 6:20 PM

That article is for 8.0.3 platforms BTW. And it doesn't really mention "Single Sign On" within the article.

Joe:
If you're asking is it possible for users to log on to the Windows domain, is there some way then to set up Lawson so they *won't* have to *manually* log on to Lawson portal- hmmmm... Do you really want that? You can I guees somehow store/cache user ID/PW in log in screens within I.E. so that once your logged into the domain, and then you point to your Lawson portal within your browser, it will automatically log you in.

I know that it's possible to set up a scenario, so that once you're logged into Portal, you can open up new Portal sessions (under that same ID) without having to log in again. This is in I.E. 6.x. Try it in I.E. and select File>>New>>Window (after your inititially logged into Lawson Portal) and see for yourself.

I think within the context of *Lawson* Single Sign On for LSF 9, it means that you log on to *Lawson Portal* once (the single), after initially logging into the Windows domain, e.g. Your desktop, it will then authenticate to all Lawson services that user is attached to (such as ESS, RSS, LBI, etc.) so you won't have to log in individually again to each one of them until you are logged out, or timed out.

As far as password expiration on a regular basis on your Windows domain, if you are set up with a LDAP bind, then the expiration (and also the new reset password) will flow down to Lawson authentication also.

-Roger

Joe O'Toole

Veteran Member

Posts: 314

3/11/2009 8:04 PM

Thanks for clarifying. I remember hearing about the limited implementation of SSO by Lawson a few years ago when LSF9 was first announced, but it sounds like there is still no delivered method of configuring Lawson to do this. It's a topic that came up here to make things easier for our users, but I share your concerns about allowing users to go directly into the application from Windows without supplying their credentials and caching is not something we would want to undertake.
- Joe

PaulJ

Basic Member

Posts: 9

9/21/2009 6:53 PM

I have a somewhat similar question: We have a .net application that we want to link to from the Lawson portal. Is there a way to pass the Lawson authentication credentials to our .net application so the user will not have to log in again? I checked out the Lawson IOS Application Program Interfaces documentation, specifically chapter 6, but that seems more related to authenticating an external app with Lawson to perform a task against the Lawson interface (where by the .net app is actually passing the credentials to Lawson, not vice versa as I need).

How would I go about creating such a link? a web service of some sort? pardon my inexperience. any help is much appreciated. thanks.

Alex Tsekhansky

Veteran Member

Posts: 92

9/23/2009 10:25 PM

Paul - it is possible to do so, but will require a bit of coding.
From Lawson point of view on a "low level" you're logged into Portal if your browser session to Lawson's web server has two (or three - depending on the version) cookies that have values corresponding to session numbers WebSphere knows about.
So, the basic idea if developing something like that would be:

1. You will make a custom login page that checked whether you're already logged in (by verifying whether you have the cookies and whether lawson servlets respond with some info when you try to so /sso/SSOServlet with the cookies)
2. If you're not logged in, you would need to develop and CGI or a servlet to which you pass your current Windows session information and which can independently verify that you're indeed logged into Windows. That servlet will also create a new session in lawson for you on its own.
3. The servlet should return the cookies it got from lawson to your browser, which should put them into the current session

At that point you would be logged in into Portal. The 1 and 3 are very trivial to do. You should bind to custom LDAP server to do the second part of #2 the easy way. The first part of 2 (independently verifying whether you're logged into Windows is not as simple. It greatly depends on your domain/workgroup organization. Essentially the task is to give to the other machine an ability to verify that you're correctly logged into Windows from your PC. There are quite a few ways you can use, but they will depend on the organization of your Windows infrastructure.

PaulJ

Basic Member

Posts: 9

9/24/2009 1:05 PM

Alex, thanks for the quick response. I'm glad you say #1 and #3 are trivial to do. Unfortunately, I'm lacking the knowledge on how to do both. Obviously, I can't ask you to give me the code that'll do it, I'd imagine I'd have to pay you for that

, but maybe you could enlighten me on more specific information and/or psuedo/example code as to how to accomplish the tasks?

I guess my issue is how do I "communicate" with the Lawson SSOServlet via asp.net/vb.net code as far as "verifying whether I have the cookies and whether lawson servlets respond with some info when I try to so /sso/SSOServlet with the cookies)" ? I'd also would want to be able to pull back a few values from Lawson as well like User full name, user network name, etc.

As for #2, I probably won't do, and instead just make the user re-login though the asp.net form authentication login (verifies against LDAP) instead of trying to auto pass credentials from the windows session. especially since this external web app will only be linked to from within the lawson portal.

Thanks again. Any help/advice is greatly appreciated.

Alex Tsekhansky

Veteran Member

Posts: 92

9/24/2009 10:16 PM

Sure.

For #1 you should have a custom HTML page that will have javascript or vbscript that will be run on a browser. That code should check for the presence of cookies JSESSION and C.LWSN in 900 and also for another cookie (I think called SSO) in 901. If you run FIDDLER2 on /sso/SSOServlet, you can capture the whole session and get the right names of the cookies.
Once you get them, the same javascript/vbscript code should make an internal call to /sso/SSOServlet and see if you get a redirect. If you do, that means your cookies are wrong. If you do not, you code is 200 and you get the right message in the HTML body, that means you're logged in. After that you can redirect to standard index in /lawson/portal, and you will be logged in.

For #3 - suppose you get a servlet/CGI that can determine whether you're logged in correctly. Then it can return cookies (which are really string values in a header) back to the calling agent. Just transfer the value of those cookies back to your current session from the agent and you're logged in.

If you need to get additional values, just call /cgi-lawson/userenv.exe, /cgi-lawson/printenv.exe, /servlet/Profile and /servlet/SysEnv from your agent or servlet (depending where you need those. See the result, even in a browser. It's easy to parse, as in most cases it's one value per line.

The details greatly depend on the language chosen to do this. We have done implementation of it in PHP, java/javascript and PERL to name a few.

PaulJ

Basic Member

Posts: 9

9/30/2009 4:56 PM

thanks for the information. unfortunately, i'm not getting very far. i'm having trouble taking what you suggest to do and implementing as vb.net code.

to test for a cookie, i'm trying:

If Not Request.Cookies("C.LWSN") Is Nothing ...

but it is never finding the cookie.

When logging into Lawson while runing Fiddler, I see the following cookies get set in the reponse header:

Set-Cookie: C.LWSN=7W14SVu1yNABCiPZS1ADmMHhUDetcKoIkz0kD0ONeP!2BRr172VQqESw!3D!3D; Path=/

Set-Cookie: JSESSIONID=0000Mp6k9b94tuH57qKNZtqfOZN:-1; Path=/

and in the Request Header, it shows a cookie "SSO.TKM"

in the same broswer, but a different window i an running my vb.net code locally in debug mode and testing for the existance of the C.LWSN cookie, but it's not finding it.

I have also tried creating an http web request like:
(vb.net code)

LoginReq = WebRequest.Create("http://lawsonserver:80/sso/SSOServlet")
LoginReq.Method = "GET"
LoginReq.UserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)"

LoginResp = LoginReq.GetResponse

but once i do, what exactly do i test the http web response for? You said to test for a redirect, but how would I test the response for a redirect?

And/or What am I doing wrong? could it not be detecting the cookie somehow since I'm running locally in debug mode?

Thanks, and again sorry for my not understanding how to accomplish this task.

adam

Posts: 3

12/29/2010 3:48 PM

Paul, Did you ever make any progress on this. I'm running into the same issue. Basically, I want to authenticate into Lawson behind the scenes (right now I'm hard coding a user/pass), and navigate into Lawson bypassing the login screen. I too have run some of the suggested code I've found, and was able to get and store the 2 cookies you mentioned above. However, I'm not sure what to do next. I've added the cookies to a .NET cookie container as well as "Response.Cookies.Add(theCookie)", and when I try to go to Lawson (in the same tab or another tab) I still get the Login screen. Any ideas?
Thanks.

-adam

PaulJ

Basic Member

Posts: 9

3/21/2012 7:19 PM

@adam,

no, never got any farther on it, as we decided not to go that route for the time being. However, now they're circling back and atleast wanting to kind of do the reverse.

I'm not trying to check in a .net application to see if the user is already logged into lawson. however, no matter what I do, it still reads that I'm NOT logged in, even when I am definitely logged into Lawson in a different tab in the same browser window. Not sure what to do at this point. Anyone out there that could help?

 Dim lawsonURL As String = "http://lawson.mydomain.com/sso/SSOServlet?_action=PING&_ssoUpdateSession=TRUE"

        If Not IsPostBack Then
            Dim strLawsonSessionStatus As String = "false"
            Dim strLawsonUserName As String = ""
            Dim wc As New WebClient
            'Dim xmlText As String = wc.DownloadString(lawsonURL)
           Dim boolLoggedIn as boolean = false
            Dim webRequest As HttpWebRequest
      

            webRequest.UserAgent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
            webRequest.ContentType = "text/xml"
            webRequest.Method = "GET"
            webRequest.CookieContainer = cookies

            Dim webResponse As WebResponse = webRequest.GetResponse
            Dim webStream As Stream = webResponse.GetResponseStream
            'Load stream
            Dim xmlDoc As New XmlDocument
            xmlDoc.Load(webStream)

            'select any level nodes using xpath
            Dim Nodes As XmlNodeList = xmlDoc.SelectNodes("//SSO")

            'iterate in selected nodes
            For Each node As XmlNode In Nodes
                If node.Name = "SSO" Then
                    For Each childNode As XmlNode In node.ChildNodes
                        If childNode.Name = "SESSIONSTATUS" Then
                            strLawsonSessionStatus = childNode.InnerText
                        End If
                        If strLawsonSessionStatus = "true" Then
                            boolLoggedIn = true
                            If childNode.Name = "USERNAME" Then
                                strLawsonUserName = childNode.InnerText
                            End If
                        End If

                    Next
                End If

                If strLawsonUserName <> "" Then
                    litXML.Text = strLawsonUserName
                End If

PaulJ

Basic Member

Posts: 9

3/27/2012 2:53 PM

anyone have any suggestions?