30 proxy authenticator, Requirements, Proxy authenticator additional information – HP Systems Insight Manager User Manual
Page 162
30 Proxy authenticator
HP SIM supports user authentication against the underlying operating system as well as Light
Weight Directory Access Protocol (LDAP) server (including Active Directory). However, HP SIM
does not support an already existing enterprise SSO solution like Java Open Single Sign On
(JOSSO), Central Authentication Service (CAS), Shibboleth, Security Assertion Markup Language
(SAML) and so on. By adhering to certain interface requirements of HP SIM, a generic authenticator
could be written to meet enterprise SSO needs.
Requirements
OEM clients to provide an authenticator meeting the following requirements:
•
To provide HTTP(S) interface
•
To accept GET/POST HTTP operation and respond success or failure with XML messages
•
To include user name and role (administrator, operator, or user) in the success response
Proxy authenticator additional information
•
HP SIM provides a proxy authenticator security module which could be customized using
various properties. Some of the properties are configurable only through a property file,
SecuritySettings.props
, found in SIM_HOME/config folder, where SIM_HOME refers
to the location where HP SIM is installed. Some of the property values mentioned in the property
file can be overridden at runtime. For more details regarding which properties are mandatory
in the property file and which ones could be overridden from URL parameters, please refer to
the section
“Settings to be made in HP SIM” (page 163)
•
The proxy authenticator creates the user dynamically based on the success response from the
Authenticator. Also on every successful response from the authenticator, the role is checked
and necessary authorizations will be modified dynamically.
◦
The user’s authorization is modified if and only if there is a change in the user’s role from
the previous login (if applicable).
◦
The proxy authenticator fails if the user name matches with the default HP SIM administrator
(Administrator for Windows and root for Linux and HP-UX).
•
The proxy authenticator works only for the Web GUI sign in for HP SIM; however, it can
co-exist with the existing form-based authentication mechanisms, wherein a user could login
using a username and password.
•
Any changes in the SecuritySettings.props should be done by the user having
Administrator rights; also it requires a restart of the HP SIM service.
•
Since the interface requirement is simple - HTTP(S) with XML response, it is assumed that the
Administrator is taking into account various network security implications. For example, while
162
Proxy authenticator