Clarity

Where having problems getting single sign on to work for our install of Clarity 12.  Everytime we go to  www.niku.com.  It appears that the LDAP Server settings are configured correctly because the LDAP - Synchronize New and Changed Users  runs properly and accounts are imported in correctly. Furthermore, we are able to log into Clarity successfully using our NT credentials; just SSO is not working.  I am able to find any hints in the log files either.  WINDOWS 2003 SP3CLARITY VERSION 12APACHE VERSIONSQL 2005FRESH INSTALL OF CLARITY 12 (NOT UPGRADED)INTERNET EXPLORER 6.0 (although we have the same problem in Firefox.)    #1 - I have read mentions of a SSO server. Is this required on all platforms?#2.- What is the meaning of the "Token Name" setting. The default is AUTH_TOKEN.#3 -  Is the SSL Keytstore required for Single Sign On to work?  

1. what is your Single Sign on Application(ex. Siteminder)?2. "Token Name" is a session variable that your SSO application will look to ensure whether it a valid session or else it will authenticate again. Differs based on SSO app?3. I think you are taking about "Authentication Error URL" which is set to www.niku.com. You will get redirected if you get any authentication error. Your SSO app should have a logout url and "Authentication Error URL"4. SSL keystore configuration in Clarity is not required for Single Single on in general.

So I think I'm confused as to what the SSO feature really is with Clarity. Do we need a Single-Sign-On server/application? If so, this seems to mean that Clarity only supports integration with a Single-Sign-On Product and does not support SSO through NTLM Authentication. This seem strange since Clarity already supports "External" authentication and is also able to Synchronize users to an Active Directory group using LDAP. I can already log into Clarity by typing in my network credentials, I'm just surprised it doesn't take it a step farther and request the browser for it.  Incidentally, we did find a file called sso-template-jsp.txt on the server that Clarity supplies with the install. This file contains code on how to log into Clarity through SSO but just requires a username. We got it to work by inluding some code we found through google about performing NTLM authentication through java servlets. However, we probably won't go with it because the overall solution appears to be insecure.  We still really want this to work if it doesn't require us spending a ton of money on a product or development. If anyone has a clue please let chime in.

I believe you will need a single sign on application / server to complete an auto login rather than just storing the user credentials.   Since Clarity is java based it knows nothing about your active directory or the ability to integrate with it.    I made Citrix Password Manager SSO solution available for users that wanted to store their login and password for single sign on.   This requires some setup but not as difficult or expensive as other SSO solutions out there.  I am not sure if enabling Kerberos authentication will provide you with the single sign on requirement you are looking to have met.   I have investigated enabling Kerberos but it was for windows systems that were member servers in my AD, but it was taking too much of my time to successfully implement, and have abandoned that effort for now.  

Adding a note to push this forward after board consolidation.

I think this would be a good topic for a knowledgebase technical document. The existing Clarity documentation is not clear when it comes to describing what elements are required to get SSO to work or how to go about configuring them.   Like you I had assumed that NT alone was all that was needed - especially since LDAP authentication works with no external application. The potential difficulties of dealing with account switching in an SSO evironment (for example from an LDAP listed user to "Admin" and back) are also not currently documented.

omplata wrote:

Where having problems getting single sign on to work for our install of Clarity 12.  Everytime we go to  www.niku.com.  It appears that the LDAP Server settings are configured correctly because the LDAP - Synchronize New and Changed Users  runs properly and accounts are imported in correctly. Furthermore, we are able to log into Clarity successfully using our NT credentials; just SSO is not working.  I am able to find any hints in the log files either.  WINDOWS 2003 SP3CLARITY VERSION 12APACHE VERSIONSQL 2005FRESH INSTALL OF CLARITY 12 (NOT UPGRADED)INTERNET EXPLORER 6.0 (although we have the same problem in Firefox.)    #1 - I have read mentions of a SSO server. Is this required on all platforms?#2.- What is the meaning of the "Token Name" setting. The default is AUTH_TOKEN.#3 -  Is the SSL Keytstore required for Single Sign On to work?  

So where did you end up with this OMPLATA ?

We have been wanting to configure the same thing for awhile now but it doesn't seem trivial and it is not well documented IMHO.
Our latest upgrade is Version 12.1.x on Windows 2008 (64-bit) clustered ! to an Oracle DB

Users are imported fine from Active Directory and using LDAP we can login manually.
When we turn on SSO feature it just flips you over to a logout page.

Anyone who has done this before, what do we need to take our NTLM Session (cookie, token, whatever) strip out the DOMAIN part of the user and pass the username in to get transparent single-sign-on ?
Do we need IIS lit up and a custom ISAPI plugin to pass into tomcat (from what I have seen in other apps) or something alot simpler.
We don't have a portal app for the launch page but I do believe we have Centrify (if that helps us here)