Configuring Trusted Mode

This section describes the advantages of trusted mode authentication and how to configure it. Trusted mode is one method allowing end users to log onto the 3DEXPERIENCE platform using the same credentials as those already implemented in a third party authentication system.

Trusted mode federation can be implemented when 3DPassport delegates authentication to a third party system, and as an alternative solution when federated SAML implementation is not possible.

  1. Review operating principles and identify key components.

    Trusted mode, unlike other 3DPassport administration mechanisms, is not managed using the admin tools GUI.



    The above operating principle diagram describes how trusted mode federation works when activated:

    • 1. An end user attempts to connect to the 3DEXPERIENCE platform from a client (browser, native app, …).
    • 2. The end user is not authenticated, and the request is redirected to the 3DPassport service.
    • 3. The request goes through an SSO agent component deployed in the TomEE app server. The credentials are checked on the SSO server of the third party identity provider (IdP).
    • 4. The SSO server checks credentials against its user repository.
    • 5. If credentials are successfully checked, the remote user is populated and set in the request and the client is redirected back to the 3DPassport service with a GET or POST request. If credentials are not valid, the agent redirects the end user to the third party identity provider login page.
    • 6. The PreAuth manager checks whether a remote user is present in the request. If the remote user is found, it tries to fetch current user attributes from the repositories (local and external).
    • 6b. If the remote user cannot be found, the request is then processed by the CAS authentication manager (legacy behavior) and callback is performed to the 3DPassport login page if the authenticated session is not valid, or no valid CAS cookie can be found.
    • 7/8. The user service component fetches the user data from the repositories into which the 3DPassport is plugged, for example its own database repository or possibly the customer's own repository (if read only connection is allowed).
    • 9. If the end user is found in a repository, the user session is created and the user is redirected back to the 3DEXPERIENCE platform with a 3DPassport CAS SSO ticket. If the user cannot be found in any repository, the user is redirected back to 3DPassport login page.

    You are now ready to configure trusted mode.

  2. Enable trusted mode.

    You must configure the required resolvers and handler classes that will handle the retrieval of remote users from the request, and activate trusted mode.

    1. Edit the following file:

      <tomee>/webapps/<WEBAPP_NAME>/WEB-INF/spring-configuration/applicationContext-cas.xml

      where <WEBAPP_NAME> is 3dpassport by default.

    2. Set enableTrustedModeFederation in the casServiceAdapterLegacy bean to true:

      <bean id="casServiceAdapterLegacy" class="com.dassault_systemes.dspassport.iamweb.cas.service.impl.CasServiceAdapter" lazy-init="true">

      <property name="enableTrustedModeFederation" value="true"/> 
      …

    3. Modify the preAuthenticationManagers section by uncommenting the following lines:

      ....
      <bean class="org.jasig.cas.adaptors.trusted.authentication.principal.
                   PrincipalBearingCredentialsToPrincipalResolver"/>
      ....
      <bean class="org.jasig.cas.adaptors.trusted.authentication.handler.support.
                   PrincipalBearingCredentialsAuthenticationHandler"/>
      ....
      <property name="preAuthenticationActions">
      	<list>
      		<bean id="principalFromRequestRemoteUser" 
        class="com.dassault_systemes.dspassport.iamweb.cas.authentication.action.impl.
               PreAuthPrincipalFromRequestRemoteUserAction"/>
        <property name="decodeRemoteUser" value="false" />
        <property name="remoteUserHeaderName" value="" />
      </list>
      </property>
      ....
      

      in the appropriate location as illustrated below:

      ...
      <property name="preAuthenticationManagers">
      	<list>
      		<bean id="authenticationManager"
      		class="org.jasig.cas.authentication.AuthenticationManagerImpl">
      			<property name="credentialsToPrincipalResolvers">
      				<list>
      					<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"/>
      					<bean class="org.jasig.cas.adaptors.trusted.authentication.
                   principal.PrincipalBearingCredentialsToPrincipalResolver"/>
      				</list>
      			</property>
      			<property name="authenticationHandlers"> 
      				<list> 
      					<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> 
      			<property name="httpClient" ref="httpClient"/> 
      			<property name="retryTemplate" ref="retryTemplate" /> 
      			<property name="maxAttempts" value="${cas.retry.maxattempts:5}" />
      			<property name="callbackFailedCounter" ref="callbackFailedCounter"></property>
      
      					</bean> 
      					<bean class="org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler"/> 
      				</list>       
      			</property>
      					</bean>
      				</list>
      			</property>
      			<property name="preAuthenticationActions">
      				<list>
      					<bean id="principalFromRequestRemoteUser" 
        class="com.dassault_systemes.dspassport.iamweb.cas.authentication.action.impl.
               PreAuthPrincipalFromRequestRemoteUserAction"/>
        <property name="decodeRemoteUser" value="false" />
        <property name="remoteUserHeaderName" value="" />
      </list>
      </property>
      ...

      “remoteUserHeaderName” property

      By default, the remote user is retrieved from the request by calling the HttpServletRequest.getRemoteUser method in the PreAuthPrincipalFromRequestRemoteUserAction class.

      The remote user name can also be retrieved from a custom header in the request, by setting the remoteUserHeaderName property for the principalFromRequestRemoteUser bean as follows:

      <bean id="principalFromRequestRemoteUser" 
      class="com.dassault_systemes.dspassport.iamweb.cas.authentication.action.impl.
             PreAuthPrincipalFromRequestRemoteUserAction">
      <property name="remoteUserHeaderName" value="###CUSTOM_HEADER_NAME###"/>
      </bean>

      decodeRemoteUser" property

      By default, the remote user string is not URL decoded so this property is set to false. If the remote user string contains special characters that needs to be URL encoded up-front, then you need to set this property to true.

  3. Configure logout callback.

    When an end user logs out from the 3DEXPERIENCE platform, the end user is also logged out from 3DPassport and must also be logged out from the third party SSO system. So you need to configure the logout callback URL of the third party SSO system.

    1. Edit the following file:

      <tomee>/webapps/<WEBAPP_NAME>/WEB-INF/spring-configuration/applicationContext-cas.xml

      where <WEBAPP_NAME> is 3dpassport by default.

    2. Add the following line in bold, just before the preAuthenticationManagers section as follows:

      ...
      <property name="forceRedirectUrlAfterLogout" value="${iam.cas.force_redirect_url_after_logout}"/>
      <property name="preAuthenticationManagers">
      ...
      Note: The value of the forceRedirectUrlAfterLogout parameter above is a placeholder. The value will be automatically replaced with the placeholder property value set in the dspassport_general.properties file. If you do not want to use a placeholder, you can directly set the URL callback value here, and skip the following steps.

    3. Edit the following file:

      <tomee>/webapps/<WEBAPP_NAME>/WEB-INF/classes/dspassport_general.properties

      where <WEBAPP_NAME> is 3dpassport by default.

    4. Add the following line at the end of the file:

      ...
      iam.cas.force_redirect_url_after_logout=<LOGOUT_CALLBACK_URL>

      and replace <LOGOUT_CALLBACK_URL> by the value of the callback URL of the third party SSO server.

  4. Restart the TomEE web application server to take the configuration into account.

End users can now log onto the 3DEXPERIENCE platform via the logon page of the third party identity provider.