Service Desk Practitioners Forum
cancel
Showing results for 
Search instead for 
Did you mean: 

Single sign on

SOLVED
Go to solution
Highlighted
Jorge Castilla_
Collector

Single sign on

Hi all,

It Is possible through Web Api to do an integration with Active Directory to enable sigle sign on ?. I don't know so much about java programming but web api provides some utilites to manipulate Service Desk data. Data exchange task could be useful for the "integration" but there is a problem updating passwords so how can be done without update to SD 5??..

Thanks in advance for your response.

Regards.
6 REPLIES
S Ashok Kumar
Frequent Visitor

Re: Single sign on

I guess with Single Sign On you mean when someone logs into Service Desk that has to be authenticated against Active Directory. Is that right?
E-mail: sakis4@gmail.com
Jeff Kays
Frequent Visitor

Re: Single sign on

We've used Service Desk (via the web api) to do authentication for web portals we've built. When a user attempts to log into our portal our web realm gets the user's login and passwords and attempts to create a Service Desk session. If it works, they are authenticated, otherwise the login fails. You can also change the password in SD via the web api, but you cannot retrieve someone's current password - it is encrypted. This may pose an issue for you.

jeff
Jorge Castilla_
Collector

Re: Single sign on

Ashok: Yes.

Jeff: You're right. The encryption could be a problem. Furthermore the single sign on must be integrated at Windows logon session via Active Airectory.

Rgds,
S Ashok Kumar
Frequent Visitor

Re: Single sign on

I can think of one solution. If it is a web portal login, authenticate the initial web login against Active Directory using AD APIs. If the AD authentication is successful, you can bind the user with Service Desk using a default password which will have some dependency on the username. The only flip side is that passwords in Service Desk remain a constant.

Hope that partially meets your requirement.

- Ashok
E-mail: sakis4@gmail.com
Radovan Skolnik
Honored Contributor
Solution

Re: Single sign on

I'll tell you a big secret know-how: check out the http://jcifs.samba.org/ project. It is Java library that acts as a filter to apache and enables you to retrieve login name of the user authenticated in AD (works on Unixes as well as opposite to AD API).

This is of course half of the solution. When user accesses the page with this filter you can read the login name of authenticated AD user. Now that login name has to be the same as SD login or Person record has to contain in in some field. That way you can find (through WEB-API) SD Person/Account associated with that AD account. Now as you have to provide correct password for that account the harder part comes. Here's outline of possible solutions (it's not really SSO but wold serve):

If these users access SD only via ServicePages you can generate random password and set it to that SD account (through WEB-API). Then you just create normal SD session using the login name and generated password. If the login failes (for common users using native client as well) you show login screen. BEWARE! You cannot use this for users that require login to native client as well (they would never know their password).

Another option (to save you often password changes) is to do some kind of integration (triggered by Database Rule on enabling (setting to true) boolean custom field called SSO for example)
that would compute user's password from it's login name by secret formula (for example MD5 sum or anything you like), set it via WEB-API or sd_event and implement the same algorithm into your ServicePages. ServicePages would try that password and if that would fail they'd show common login screen.

We have already created such integration so if you want, contact me at radovan_skolnik@tempest.sk and we can work this further...

This should help altough it requires some Java coding and Apache knowledge as well...

Best regards

Radovan Skolnik
Radovan Skolnik
Honored Contributor

Re: Single sign on

//Add this to "OnDomLoad" event