SMTX Support SMTX Wiki

Login

  • Authentication: See this chapter for more information

  • Autocreate SSP account?: See this chapter for more information

  • Use person unique id for account login: Use the person unique id instead of the account login name to login to the system • Show 'Stay logged in' checkbox on login:

  • Supervisor impersonate account: The account to use when logging in with the admin2 account. See here for more information.

  • Login page image location: Set here a URL to a login image to overwrite the image set in the CSS. • Do not redirect to 'My Profile' on first login: New users are redirected to the My Profile page at first login. With this option that is no longer the case.

  • After login redirect to: Users will be redirected to this URL after they succesfully logged onto the system

  • After login redirect to (mobile): Mobile sers will be redirected to this URL after they succesfully logged onto the system

  • Enable registration: When enabled, new users can register themselves in the system. Please note that only persons with a known person record can register themselves.

  • Registration Mail Validity Period: The period, the link sent in the registration email remains valid.

  • Registration Password Regular Expression: Password requirements for users.

  • Registration New Account Login: Set the field in which the login of the new user should be stored

  • Automatic logout after: This is a time-out after which user sessions get terminated.

  • On manual logout, logout all sessions of the user: When enabled, users will have no open sessions on any browser or computer after logging off a single session.

  • Disable session keep alive: SSP keeps sessions alive for user convenience. With this option that behaviour can be changed and users need to login again after the session has timed out.

  • Close browser on logout: The browser tab is closed (when allowed) after logoff button was pressed.

Login Suffix

Login Suffix: It is possible in SSP to provide users a default login suffix, when logging into SSP. This can be for example the final (common) part of the user's email address, if that is used for login procedures.

Authentication Types

Authentication is the process of verifying the identity of an user who attempts to access the system, and authorization is the process of verifying that the user has sufficient rights to the Self Service Portal. There are different methods of authentication available for the Self Service Portal. Regardless of which authentication method is selected, each user will require a Self Service Portal account to get authorization within the Self Service Portal.

SSP 7 provides different methods of authentication:

  • SSP7 Internal - Use this option if SSP should do authentication and maintain user's passwords. Please note that the system is designed to use external authentication methods and this authentication method may not pass for all security requirements.

  • LDAP - When LDAP authentication is used, users can login with their normal network account and password. Passwords are not stored in SSP 7 . It is possible to provide users the option to save their account for next time use. This account is then stored in the user's local folder in encrypted format. Please check the User Access section for detailed information.

  • SD 4.5 - HP OpenView ServiceDesk 4.5 is used as authentication server. Users get access to SSP 7 by providing their HPSD4.5 username and password.

  • Kerberos - Kerberos is used to provide Single Sign On (SSO), using the Windows account of the user.

  • Webseal - Supports authentication through a webseal session variable

  • External - Use external in case you want to use ADFS authentication. Please contact SMTX support for additional software that is required to support this authentication type.

Single Sign On

This version of SSP provides true Single Sign On capabilities through Kerberos. However, there is an alternative that comes close to Single Sign On. SSP can remember the account that has successfully logged on. The account information is stored in the users profile and can be used to automatically login with the same account when the user returns.

To configure the option for remembering the account, go to general settings and set check the checkbox behind the option Show 'Stay logged in' checkbox on login. This will add a checkbox to the login page, giving users the option to remember the login account.

A second setting needs to be updated in the web.config file of the common application. Find the following string:

<machineKey validationKey="security key removed" decryptionKey="hidden" validation="XXX"/> <authentication mode="Forms"> <forms loginUrl="../Common/login.aspx" protection="All" timeout="1440" name=".SMTXAuth" path="/" slidingExpiration="true" defaultUrl="default.aspx" /> </authentication>

It is important that the security keys don't get distributed or changed. These keys make sure the content of the cookie is secure.

With the timeout value you can configure how long the login will be remembered. In the example the value 1440 is 1 day, as this value is set in minutes. If for example, the login should be done at least every week, set the value to 7*1440 = 10080. If the login can be remembered for an unlimited amount of time, set the value to 0.

SSP7 Internal Authentication

With SSP 7 Internal authentication the user logs in using the username and password provided by their administrator. Access to the Self Service Portal is controlled and administered from the Manage Persons section of the Admin panel. All user accounts will required the proper authorization to access the Self Service Portal which is described in the User Access Control Section.

LDAP Authentication

LDAP can be used to authenticate users. The big benefit of using LDAP is that users are able to use the same username and password to access SSP 7 as they use to get access to the network. SSP 7 supports the standard LDAP protocol and can be used with Microsoft's Active Directory. Please read the LDAP topic within the Adapter chapter for more information how to configure the LDAP connection.

SD45

HP OpenView ServiceDesk 4.5 can be used to authenticate users. The benefit of using ServiceDesk is that users are able to use the same username and password to access SSP 7 as they use to get access to ServiceDesk. Although authentication is done against ServiceDesk, further communication with ServiceDesk is done with the account configured within the Adapter settings.

Kerberos

How to configure Kerberos SSO.

a.

Go to default.aspx file in common\winLogin. Go to the Common application and open the folder winlogin then choose for Content View

b.

c.

Select default.aspx en click right on "switch to features view"

d.

Select ‘Authentication:

e.

Disable anonymous access and enable Windows authentication. When Windows authentication is not available, please install that by following the Microsoft installation instructions.

f.

You will see an error message, but this can be ignored

g.

Check that you have HTTP401 error pages installed (this should be done automatically)

h.

This is then the new screen settings::

i.

Now also check the .NET Authorization settings on default.aspx. It should be configured like below.

External authentication

Use external authentication to let SSP redirect users to a authentication provider. The authentication provider will link back to SSP, with user credential data included in the redirect. SSP currently supports ADFS authentication and is able to read person data from the claims in the SAML token returned by the ADFS server.

OAuth2.0

At this point oauth2.0 isn't supported by the external component. In case there is a need for OAuth2.0 support, please contact SMTX support, as this type of authentication can be provided on demand.

Automatic Account Creation

Once a user is authenticated the authorizations within SSP 7 are looked up. In case a user is logging into SSP 7 for the first time, this user will not have a SSP 7 account. In that case, the user will not get access to SSP 7.

If you would like to have a new SSP 7 account created automatically, please do the following:

Setting SSP 7 to automatically create accounts.

  • In the General Settings Admin panel select "Yes" in Autocreate SSP 7 account for LDAP users.

  • Click OK or Save to save the settings.

Automatically created accounts will get the default role assigned. On top of the default role, users may also receive roles via a RoleSet. For more information on RoleSets please refer to the User Access Control chapter.

Supervisor Impersonate

In the situation that authentication against the authorization server is failing, access to SSP 7 is no longer possible. For those situations, a Supervisor account is foreseen in SSP 7. This Supervisor account is able to login without checking the configured authentication source. The Supervisor account needs to be enabled in the web.config file of the common application. Here you can define the username and password.

By default the Supervisor account is disabled. The default username and password is configured as admin2/admin2. Please read chapter User Access of the Installation Guide for more information on configuring the Supervisor account.

Stay logged in

It is possible to let SSP 7 remember the last successful user login. When the user closes the browser and later gets back the portal, no authentication is required.

Please take note of the following warnings and limitations before activating this functionality:

  • Security

    • Anyone who gets access to a persons computer can login with that persons account. This will make it possible to submit or approve items under other persons credentials.

    • A cookie is stored in the users Windows profile. The username within the cookie is encrypted with 64-bits encryption technology.

  • When making use of RoleSets, SSP 7 will remember the Roles granted when the user logged in for the last time. Any updates in the RoleSet are only done when the user logs in again.

  • When the Log Out button is used, the cookie containing the users login information will be deleted and the user needs to provide login credentials again in the next visit.

How to activate

Turn 'Stay logged in' checkbox on and off.

  1. In the General Settings of the Admin panel select find the section "Show 'Stay logged in' checkbox on login".

  2. Check the box to show, or uncheck it to hide

  3. Click SAVE or OK to save the settings. There is also an update needed in the web.config file of all 3 SSP 7 application (Common, Workflow and Forms). Lookup the following line in the web.config files:

Make sure you set the value for timeout to the number of minutes, you want people to stay logged in. By default this value is set to 0. To change this into 5 days, change the value into 7200 (60 minutes per hour * 24 hours per day * 5 days = 7200 minutes). Any value can be selected here. In case 0 is selected, the Stay Logged In functionality is disabled.

In case the Stay Logged In functionality is enabled, the user will see a checkbox on the login screen that gives the option to remember the login for future sessions.

PreviousMail SettingsNextForms Setting

Last updated