1.

Configuring Single-Sign-On (SSO) for T24 browser :

T24BrowserimplementsaSingleSignOn(SSO)mechanism.Thisallowsalready
authenticateduserstoprovidecredentialsintheloginrequestsotosuppressthestandard
T24Browserloginpage.
ToconfiguretheSSOmechanismthefollowingmustbedone:
1) Single Sign-On Filter- Uncomment the signlesignonfilter in the web.xml
2) HTTP request- Toensurethatthesinglesignonfilterisinvokedallhttprequests
shouldcontainaPrincipal,i.e.anobjectthatimplementsthepublicabstractinterface
java.security.Principal.
ForfurtherinformationonSSOconfigurationincludingLDAP,Certificates&Identities
refertotheSecurityServiceInstallation&ConfigurationGuideRelease1.5
This document is aimed at providing guidance to configure the
TCServer, TCClient for setting up the environment for T24 Browser,
ARC-IB with LDAP Directory server. This setup enables to add
EB.EXTERNAL.USER into the LDAP server and authenticating the
external user using the LDAP server.

2. Configuring HTTP BASIC Authentication for T24

Browser:
The T24 Browser servlet can be protected by the standard HTTP BASIC
Authentication mechanism. The implementation of this access
authentication mechanism in T24 Browser relies on the Java
Authentication and Authorization Service (JAAS).
1) Secure the BrowserWeb application Uncomment the
BasicAuthenticationFilter in the web.xml
2) Specify the JAAS Realm for BrowserWeb
ThiswillbespecifictothewebserverthattheBrowserWebisdeployedon.

InTomcat5.5locatetheContextconfigurationfile:

<TOMCATDIR>\conf\Catalina\localhost\<WebAppName>.xml
Inatypicalinstallationthepathwouldbe:
<TOMCATDIR>\conf\Catalina\localhost\BrowserWeb.xml

Ensurethatthefollowingentriesexist:

<Contextreload="true"><RealmappName="T24"
className="org.apache.catalina.realm.JAASRealm"
roleClassNames="com.temenos.t24browser.security.authentication.T24RolePr
incipal"
userClassNames="com.temenos.t24browser.security.authentication.T24UserPr
incipal,com.temenos.t24browser.security.authentication.T24Principal"/>
</Context>

3) Create & Deploy the JAAS Configuration File

Createafileandcallitt24BasicAuth.config

Enterthefollowingtext:

T24{
com.temenos.t24browser.security.authentication.BasicAuthLoginModule
Requisitedebug="true";};

Savethisfiletoalocationofyourchoicee.g.C:\JAASConfig\T24Browser\

TelltheTomcatserverjavaVMtousethisauthorisationloginconfigurationfileviaacommand
lineparameter:

Djava.security.auth.login.config="C:\JAASConfig\T24Browser\t24BasicAuth.config"

4) Login to T24
Oncetheabovehasbeenconfiguredcorrectly,andthewebserverfullreset,itispossibletotestthis
functionalitybyattemptingtologintoT24.
AssoonastheusernavigatestotheT24BrowserURLe.g.
http://localhost:8080/BrowserWeb/servlet/BrowserServlet
AdialogwillappeartopromptforaUsername&Password.TheT24usernameandpasswordshouldbe
suppliedandOKpressed.

IfthecredentialssuppliedarevalidthentheuserwillbepresentedwiththeappropriateT24homepage.If
thecredentialsarenotvalidandresultinaSECURITYVIOLATIONthentheservletwillrespondwitha
HTTPerror401unauthorised.
NOTE:DuetowebbrowserssuchasIE&Firefoxcachingtheusercredentialsandautomaticallyre
submittingthemwhenrequired,itisnecessarytoclosethebrowserwindowbeforeanalternativesetof
credentialscanbesupplied.ThisisstandardbehaviourofwebbrowsersandBASICauthentication.

4) BASIC Authentication as a Single Sign-On Mechanism

Itispossibletooverridetheauthenticationdialogbysupplyingtheusercredentialsinaspecifiedformatin
theHTTPheadersectionoftherequest.

Toreceiveauthorisation,theclientsendstheusernameandpassword,separatedbyasinglecolon(":")
character,withinabase64encodedstringinthecredentials
Iftheuseragentwishestosendtheusername"Aladdin"andpassword"opensesame",itwouldusethe
followingheaderfield:
Authorization:BasicQWxhZGRpbjpvcGVuIHNlc2FtZQ==
Userscanbeauthorised&loggedontoT24inonestep.Ifthecredentialsarenotvalidandresultina
SECURITYVIOLATIONthentheservletwillrespondwithaHTTPerror401unauthorised.

3. Single Sign-On with Siteminder:

T24BrowserusesaninteractivescreentoallowtheuserstologintotheT24system.Withthis
enhancement,nologinscreenwillbedisplayed.Userswillclickahyperlinkfromathirdpartyweb
applicationtoaccessT24browser.
T24BrowserrequestwillinterceptedbyafiltercalledCookieFilter,thefilterwillextracttheUserName
fromthecookieandpassthesignonnametotheT24.Nopasswordisstoredintherequestandno
passwordwillbepassedtotheT24.Thisuserisalreadyauthenticatedbyexternalsystemssopassword
validationwillbebypassedinT24.
T24usersareauthenticatedexternallybythirdpartysystem.
Cookienameisconfigurableintheserv.configpropertyfile,thelocationofthepropertyfileshouldbe
mentionedinthesystempropertyoftheserver.
Performthefollowingchangesinthe<WebServerHome>/BrowserWeb/WEBINF/web.xml
ToprocesstherequestbyCookieFilter,removethecommentfromthebelowtags.Withthisyourrequest
andresponsewillbeprocessedbyCookieFilter.

Agenericcustomisablepageisdesignedforsignoutfromt24andforothererrorscenarios.

ToallowtheusertologintotheT24Browser,followingchangesneedtobedoneintheOFS.SOURCE
recordofbrowser.

OFS.SOURCErecordupdated
IfthevalueforthefieldATTRIBUTESissetasPREAUTHENTICATEDandifvalueforthefield
SOURCE.TYPEissetasSESSION,T24BROWSERuserwillbetreatedaspreauthenticateduser.Only
signonnameauthenticationwillbedone.