Windows SSO authentication for GBS Workflow Manager
The SSO authentication implementation uses the Waffle framework (https://de.slideshare.net/dblockdotorg/single-signon-with-waffle). It works with any of the browsers supported by the GBS Workflow Manager version. However, the server has to be a Microsoft Windows server.
A user is automatically logged in to GBS Workflow Manager if the feature is activated and his Windows login name is stored in his Person document in the Workflow Manager domain. If the user is a member of more than one domain, always the first Workflow Manager domain is taken.
Prerequisites for the use of the SSO authentication feature
To provide this feature for Workflow Manager users, make sure that the following requirements are met.
Ensure the integration of the Windows Server in the used domain
The Windows server, on which Workflow Manager Server is installed, needs to be connected to an Active Directory and to be part of an AD domain.
The users that are supposed to use the SSO authentication method need to be listed in the AD, because this is checked by Waffle.
2. Activation of the feature in the configuration file
- To activate the feature, add the following row to the properties configuration file which is located in the "...\wildfly-15.0.1.final\standalone\GBSWorkflowManager\configuration\" folder:
- Restart the server after having made these changes to the configuration file.
3. Presence of the user's 'Windows login name' in the person document
The Windows login name of each user has to be available in the corresponding user's person document of the Workflow Manager domain.
In case of an Active Directory synchronization or Azure Active Directory synchronization, it is available automatically, otherwise a new field has to be configured.
- Case 1: With Active Directory synchronization or Azure AD synchronization
=> Windows login name is read from the default Active Directory User-Name
If the synchronization with the Active Directory or Azure Active Directory is in place, during synchronization, the Windows login name of each user is automatically stored and displayed in the Person document in a field named Active Directory User-Name. The technical name of the field is activeDirName.
- Case 2: With or without Active Directory synchronization or Azure AD synchronization
=> Windows login name is read from an additional field (created through an additional property):
Add the following row to the properties file:
After having made these changes to the configuration file, restart the server. Now, the following applies:
- The additional field named Windows login namewill be displayed in the person document.
- In this field, the Windows login name has to be entered manually.
- The content of this additional field is used for the respective person's SSO Windows authentication no matter whether any Active Directory synchronization is in place or not.
- Tip: The current user's Windows login name can be obtained through the dos command "whoami" in current user's folder, e.g. "C:\Users\arno.rautmann".
4. Configuration of the users' browsers for single sign-on
The feature requires the configuration of browsers for single sign-on.
For more information, refer to https://github.com/Waffle/waffle/blob/master/Docs/ConfiguringBrowsers.md.
If the SSO configuration is not done correctly, the user might see the Authentication required dialog.
In this case, the user has to change the settings on his local browser. There are specific settings for the different browsers.
Firefox single sign-on configuration
- Type network.negotiate-auth.trusted-uris in the Filter (German "Suchen") box.
- Type about:config in the address bar and hit enter.
- Double click "network.negotiate-auth.trusted-uris" to open the dialog for new value. Put your server name (such as "http://localhost:8080") as the value. If you have more than one server, you can enter them all as a comma separated list.
- Close the tab.
The configuration works at once in another tab after reload.
Internet Explorer (and Chrome) single sign-on configuration
Ensure that Integrated Windows Authentication is enabled:
- Choose the Tools, Internet Options (German: "Extras/Internetoptionen")
- Click the Advanced (German: tab "Erweitert")
- Scroll down to Security. (German: "Sicherheit")
- Check Enable Integrated Windows Authentication.
- Restart the browser.
The target website must be in the Intranet Zone.
- Navigate to the website.
- Choose the Tools, Internet Options
- In tab Security (German: "Sicherheit"), click the "Local Intranet" icon to select the zone.
- Click the Sites
- Check Automatically detect intranet network. (German: "Alle lokalen Sites (Intranet), die nicht in anderen Zonen aufgeführt sind, einbeziehen")
If the above didn't solve the problem, click Advanced. Add the website to the list of Intranet sites.
Last updated: 28.11.2019