Sun and Microsoft Interoperate for Web Authentication, Part 2

Sun Java System Access Manger (henceforth, Access Manager) offers a robust solution for Web-based single sign-on (SSO), federation, and security of Web services through an administration interface for centralized authentication and authorization. As described in part 1 of this series, in addition to setting the standard allow-deny policies, you can extend authentication with Access Manager by configuring mechanisms and authorization policies for various Web servers and application servers by means of Policy Agents.

With Microsoft SharePoint Portal Server 2003 (henceforth, SharePoint), you can create portals as launch pads for Web sites. Each site can be a top-level page, from which you can build other subsites as in a tree hierarchy. You can also define authorization policies to grant access and administration rights to various individuals to the sites, as appropriate, at different levels of the hierarchy.

This article describes how to integrate SharePoint with Access Manager for SSO. Afterward, once Access Manager has authenticated a user, that person can—without having to log in again—access the other sites that are also configured for SSO through Access Manager.

Note: See also Part 3 of this series: Sun Java System Access Manager and Microsoft Outlook Web Access for Exchange Server 2003.

In a SharePoint deployment, you can configure in the Microsoft Internet Information Services (IIS) Administration Console any authentication mechanism supported by IIS. The authentication choices are Basic, Digest, Windows Integrated, and Anonymous. The current SharePoint Agent supports basic authentication only. For tighter security, you can configure basic authentication with Secure Sockets Layer (SSL). Basic authentication is also supported by most Web browsers.

Figure 1 shows the Authentication Methods dialog box in the IIS Administration Console. Just select "Basic authentication (password is sent in clear text)" and click OK.

Figure 1: Specifying the Authentication Method in IIS (Click image for larger view.)

In SharePoint, you configure authorization policies from its Administration Console's Manage Web Site Users screen (see Figure 2) to grant access rights to users for specific sites. The four levels of access rights are Reader, Contributor, Web Designer, and Administrator.

Figure 2: Granting Access Rights in SharePoint (Click image for larger view.)

As an example, make Alice an Administrator for the Marketing site and a Reader for the Sales site so that she can add or edit content in the Marketing site but only read content in the Sales site. Afterward, test the configuration by going to the Marketing site. When prompted for the user name and password, fill in the fields with Alice's credentials. You'll find that not only can you read the content, but you can also, for example, upload a graphic to that site.

Now switch to the Sales site. When you attempt an upload, SharePoint blocks the task and prompts for the credentials of a user who has the rights to perform such a task, as shown in Figure 3.

Figure 3: Prompting for Password (Click image for larger view.)

The SharePoint Agent enables SSO for SharePoint with all the applications configured in Access Manager. When a user accesses SharePoint, its Agent displays an Access Manager login screen. Once authenticated, the user can access all the applications that are secured by Access Manager.

To deploy the SharePoint Agent, first configure a post-authorization plug-in, ReplayPasswd, with Access Manager (see the next section). An encryption key is shared between Access Manager and the SharePoint Agent.

Here is what transpires behind the scenes:

1. When an access request arrives at the SharePoint application through IIS, the SharePoint Agent intercepts the request and redirects it to Access Manager for authentication.
   
2. After successful authentication, ReplayPasswd encrypts the password with the shared key and stores the encrypted data in the Access Manager session, whose ID is then set in a special cookie in the form of an SSO Token ID.
   
3. The SharePoint Agent retrieves the encrypted password from the SSO Token and decrypts the information with the shared key. That way, the SharePoint Agent has in its possession the original credentials, which it then encodes according to the Base64 encoding method and places in the Basic Authentication HTTP header of the original HTTP request.
   
4. Now that the HTTP request has a valid Basic Authentication HTTP header, IIS does not prompt for authentication. Subsequently, the user is allowed access to the resource requested.

You must synchronize the user passwords in the Access Manager data store with those of SharePoint. If the SharePoint user accounts are stored in Active Directory, you can configure Access Manager to use the same Active Directory as the data store and avoid having to synchronize passwords in two different LDAP servers. The SharePoint Agent also enables mapping of LDAP attributes other than uid.

Before installing the SharePoint Agent, first configure Access Manager.

Configuring Access Manager
Important: Be sure to install Java 2 Platform, Standard Edition (J2SE platform) 1.4 or a later version.

Included in Access Manager 7.0 Patch 5 onwards, except Access Manager 7.1, are ReplayPasswd.java, a plug-in, and DESGenKey.java, a key generator.

Note: For the procedure on how to configure the plug-in in earlier patches and generate the shared key, see Appendix A: Configurations for Pre-Access Manager 7.0 Patch 5 Releases and Access Manager 7.1.

To configure ReplayPasswd.class as a post-authorization plug-in:

1. Log in to the Access Manager Administration Console as amadmin.
   
2. Click the Access Control tab, click the realm, and then click the Authentication tab.
   
3. Under General, click Advanced Properties.
   
4. Scroll down to the Authentication Post Processing Class field. In the text field, type com.sun.identity.authentication.spi.ReplayPasswd (see Figure 4).
   
   

   Figure 4: Defining the Authentication Post-Processing Class (Click image for larger view.)

    
   
5. Scroll up, click Save, and exit Access Manager.

Finally, generate and add the shared key and the LDAP attribute to the AMConfig.properties file:

1. Go to the lib directory in the Access Manager installation location ( /opt/SUNWam/lib by default) and execute DESGenKey. Type:
   
   # java com.sun.identity.common.DESGenKey
   
   Access Manager generates and outputs the key, for example: Key ==> bTGKXVs3WEk=
   
2. Add the key as the value of the com.sun.am.replaypasswd.key property in the AMConfig.properties file.
   
   For example, add this line:
   
   com.sun.am.replaypasswd.key = bTGKXVs3WEk=
   
3. Add the LDAP attribute that acts as the login attribute mapped in SharePoint and Access Manager.
   
   For example, if uid is that attribute, add this line:
   
   com.sun.am.sharepoint_login_attr_name = uid
   
4. Restart Access Manager.

Installing and Configuring the SharePoint Agent

1. Download Policy Agent 2.2-01 for IIS 6.0. Run the installer.
   
   After installation, the installer prompts you to reboot.
   
2. Click Yes to reboot your system.
   
3. Go to the bin directory of the SharePoint Agent installation. Type:
   
   C:\>cd \Sun\Access_Manager\Agents\2.2\iis6\bin
   
4. Execute the script IIS6Createconfig.vbs. Type, for example (all on one line):
   
   C:\Sun\Access_Manager\Agents\2.2\iis6\bin>cscript IIS6CreateConfig.vbs C:\amconfig.txt
   
   You are prompted for the details of the SharePoint and Access Manager installations and the shared "secret," which is the value of the variable AMLDAPUSERPASSWD in the Access Manager configuration. See Figure 5 for an example.
   
   

   Figure 5: Running IIS6CreateConfig.vbs

    
   
5. Execute the IIS6AuthAdmin.vbs script. Type, for example, all on one line:
   
   C:\Sun\Access_Manager\Agents\2.2\iis6\bin>cscript IIS6AuthAdmin.vbs -config C:\amconfig.txt
   
   See Figure 6 for an example.
   
   

   Figure 6: Running IIS6AuthAdmin.vbs

    
   
6. Add the replay password key, which you generated earlier, to the AMAgent.properties file. For example, add this line:
   
   com.sun.am.replaypasswd.key = bTGKXVs3WEk=
   
7. Restart IIS.

To test the setup:

1. Go to a site for which Alice has access rights, say, the Finance site, which is not hosted in SharePoint but is protected by Access Manager, which also secures the SharePoint sites.
   
2. At the Access Manager login screen, enter Alice's credentials. See Figure 7.
   
   

   Figure 7: Logging In at Access Manager Login Screen (Click image for larger view.)

    
   
   Access Manager directs Alice to the Finance site.
   
3. Clear the cookies or restart the browser.
   
4. Access the Marketing site with Alice's credentials.
   
   Access Manager redirects Alice to the Marketing site.
   
5. Access the Sales site.
   
   Likewise, Access Manager grants Alice access. However, if she tries to upload an image, Access Manager blocks the task with a Denied HTTP 403 Forbidden error, as expected. See Figure 8.
   
   

   Figure 8: Access Denial (Click image for larger view.)

    
   
6. Access the Finance site again.
   
   Access Manager redirects Alice there without any need for reauthentication.

For any release that is earlier than Access Manager 7.0 Patch 5 and for Access Manager 7.1, ReplayPasswd.java and DESGenKey.java are shipped separately. You must compile the two files and ensure that their class files are in Access Manager's lib directory ( /opt/SUNWam/lib by default), as follows:

1. As root, compile ReplayPasswd.java and DESGenKey.java by typing (all on one line):
   
   # javac -classpath Access_Manager_install_dir /lib/am_services.jar: Access_Manager_install_dir /lib/am_sdk.jar:
Access_Manager_install_dir /lib/servlet.jar ReplayPasswd.java DESGenkey.java
   
   where Access_Manager_install_dir is the location in which you installed Access Manager. The default is /opt/SUNWam.
   
   For example:
   
   # javac -classpath /opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/am_sdk.jar:
/opt/SUNWam/lib/servlet.jar ReplayPasswd.java DESGenkey.java
   
2. In the Access Manager Administration Console, click the Access Control tab, click the realm, and then click the Authentication tab. Under General, click Advanced Properties. Scroll down to the Authentication Post Processing Class field. In the text field, type ReplayPasswd.
   
3. Generate the shared key: Go to the lib directory of the Access Manager installation and type:
   
   # java DESGenKey

Note: On the Solaris and Linux platforms, the class files must reside in Access Manager's lib directory; in Windows, in the WEB-INF\classes subdirectory of Access Manager's amserver directory.

To integrate SharePoint with OpenSSO, the open-source version of Access Manager:

1. Download the Web archive (WAR) file from java.net and deploy it in any J2EE platform-compliant servlet container.
   
2. Access OpenSSO.
   
   You are redirected to the Configurator page.
   
3. Fill in the fields as described in the section, Configuring Access Manager 7.1 Using the Configurator, in the Sun Java System Access Manager 7.1 Postinstallation Guide.
   
4. Complete the configuration as follows:
   
   
   1. Perform the first set of steps 1-4 in the Installation and Configuration section to configure ReplayPasswd.class as a post-authorization plug-in.
      
   2. Generate a shared key: Go to the Container_installation_path /webapp/opensso/WEB-INF/lib directory and type:
      
      java com.sun.identity.common.DESGenKey
      
   3. Add the generated key as the value of the com.sun.am.replaypasswd.key property in the AMConfig.properties file in the Container_installation_path /webapp/opensso/WEB-INF/classes directory.
5. Restart the server.

The SharePoint Agent does not support administration of authorization policies, which is tightly integrated with SharePoint's built-in authorization mechanism. However, through Access Manager, you can administer the authorization policies of .NET applications that rely on IIS, making for seamless interoperability between Sun and Microsoft.

Many thanks to Pat Patterson and Aravindan Ranganathan, identity architects at Sun, for their reviews and suggestions for enhancing this article.

• Sun Java System Access Manager
  
  • Main page
  • Developer home
  • Software Forum
• Administrator's Guide for Windows SharePoint Services
  
• Previous articles on Access Manager
  
  • Sun and Microsoft Interoperate for Web Authentication, Part 1 (December 4, 2006)
  • What's Happening in Identity at Sun (September 1, 2006)
  • Configuring Load Balancing for Sun Java System Access Manager (December 14, 2005)
  • Building Identity-Enabled Web Services (October 18, 2005)
  • Federated Identity: Single Sign-On Among Enterprises (October 14, 2004)
• Sun developer services
  
  • Support
  • Training and certification