SSO and LDAP options that are available

Document ID : KB000010256
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

This documentation discusses which is currently available in Business Service Insight related to implementing Single Sign-On and LDAP integration. It also discusses the examples available in the documentation and what is supported out of the box vs. what is customization of the product.

Instructions:

Out of the box, BSI 8.3.5 now contains an LDAP integration feature which can be enabled in the advanced system settings, as shown below:

ldap1.jpg

This feature is documented in the BSI documentation here:

https://docops.ca.com/ca-business-service-insight/8-3-5/en/integrations/active-directory-single-sign-on

In spite of the name of the documentation, it is important to note what this feature does and does not provide.

It does:

Provide password authentication for the user against the password stored in LDAP, as long as the user exists in both BSI and LDAP. This means the user passwords no longer need to be maintained in BSI.

It does not:

Provide SSO where you no longer need to login to BSI. You must still type in the BSI/LDAP username and LDAP password at the BSI login page. Nor does it synchronize the LDAP users. The users who need access to BSI must still be created in BSI and there is no out of box feature to delete them when they are no longer in use or to create them automatically. There are custom possibilities for this below.

In addition to the out of box feature discussed above, BSI provides API calls to allow you to create a custom SSO feature which can synchronize users with LDAP or remove the login page completely. This is discussed in the documentation here:

https://docops.ca.com/ca-business-service-insight/8-3-5/en/integrations/ldap-integration

It is important to note that while BSI provides the API calls and the documentation shows a sample script to demonstrate how they can be called, creating your own webpage and .NET application to implement this is a customization and support would only be able to provide assistance with the API calls if you find they are not behaving as documented.

The first sample script you will find in the documentation link above is a VB script which can be run as an integration/translation script from the product itself. This shows how you can actually create and remove the LDAP user automatically. Used in combination with the LDAP lookup feature in 8.3.5 this can fully synchronize users with LDAP through the commands like Tools.AddUserByMap map.

 ldap2.jpg

 

The second script gets more complicated. It is sample C# code which calls the BSI API calls which allow a silent login and would allow you to completely bypass the BSI login process and enable a full feature SSO solution. The sample is written in C# but you could create your own webpage which calls anything you like, provided it's a language that allows server side API calls. C# code must be compiled. So this sample script would be compiled in visual studio and called from an aspx file. This is similar to how our login.aspx file calls compiled C# code out of the box. You would also need to modify the script heavily to suit your environment, such as the hardcoded username and organization name it currently uses, the redirect link, whether you are using HTTPS or HTTP, etc. This is considered customization and is not something support can help with beyond providing this example.

  ldap3.jpg

Hopefully this helps to clarify the available options and what is provided with each one.