Wednesday, 14 January 2015

Concepts of Step-up authentication and/or the Remember me cookie

Step-up authentication provides different authentication levels for pages and portlets. The Remember me cookie is an encrypted HTTP cookie that supports authentication.

The Remember me cookie does not extend the Portal Personalization feature to the public area. When the Remember me cookie identifies a user in a public area, the user is still considered anonymous from an access control point of view.

Step-up authentication requires the LtpaToken2 for single sign-on.


The Remember me cookie does not extend the Portal Personalization feature to the public area. When the Remember me cookie identifies a user in a public area, the user is still considered anonymous from an access control point of view.

Before setting authentication levels (By Default)

In IBM WebSphere Admin Console, go to Security > Global security > Web and SIP security > Single sign-on (SSO). Enable Interoperability Mode and Web inbound security attribute propagation.


Enable Remember Me Cookie Only 
  • Go to wp_profile_root/ConfigEngine/properties/wkplc.properties, change value of enable_rememberme to empty value


enable_rememberme=true
 to
enable_rememberme=

  • In wkplc.properties,change   value for the following parameters:
        sua_user 
The key that is used to encrypt the Cookie information. The    value does not      need to    match to a real user.

          sua_user=

          to

          sua_user=samplerememberuser

       sua_serversecret_password

       The encryption key for the information used in the RememberMe cookie, which is                 part of the step-up authentication. This does not need to be an existing password.

          sua_serversecret_password=

         to
           
         sua_serversecret_password=samplerememberpassword
  •      Run  The following Command      

             ConfigEngine.bat enable-rememberme -DWasPassword=password

  •     Restart the Portal server.
  •     Login to Portal server,you will see remember me option. 

  •       Logout and Login again. 


Enable step-up authentication only
  • Go to wp_profile_root/ConfigEngine/properties/wkplc.properties, change value of enable_rememberme to false


enable_rememberme=true
 to
enable_rememberme=false

  • Run  The following Command                 

                ConfigEngine.bat enable-stepup-authentication


  • Restart the Portal Server
  • Now Resource Permission of pages and portlets has additional authentication       levels:    
          Standard

             Set the Authentication Level to Standard if you want anonymous and         identified              users to view the page or portlet. The Standard level has the             following two                   states that are based on the access control setting for the   page or portlet:
    • If anonymous users have access to the page or portlet, no                                   authentication          is required.
    • If only authenticated users have access to the page or portlet,                                authentication is required.
            Authenticated
              Set the Authentication Level to Authenticated if you want        anonymous                              and identified users to log in to view the page or portlet.
              
                     

              Enable Both  step-up authentication and Remember me
  • Go to wp_profile_root/ConfigEngine/properties/wkplc.properties, change value of               enable_rememberme to true

                     enable_rememberme=
 to  
enable_rememberme=true

  • In wkplc.properties,change   value for the following parameters:

       sua_user 
The key that is used to encrypt the Cookie information. The    value does not      need to    match to a real user.
              sua_user=

           to

              sua_user=samplerememberuser

      sua_serversecret_password
       The encryption key for the information used in the RememberMe cookie, which is part           of the step-up authentication. This does not need to be an existing password.

         sua_serversecret_password=

         to
           
          sua_serversecret_password=samplerememberpassword

  •       run  The following Command

                 ConfigEngine.bat enable-stepup-authentication

                                            
  • In IBM WebSphere Admin Console,Click Resources > Resource Environment > Resource Environment Providers. > WP RememberMeConfigService .Create a custom property j2eeAuthenticate and value is true.
  •      Restart the Portal Server
  •      Login to Portal server,you will see remember me option.

  • Logout and Login again. 


  •      Now Resource Permission of pages and portlets has additional authentication levels   (Standard,Identified,Authenticated  )          

              Identified  
                   Set the Authentication Level to Identified if you want to control         whether                content is displayed to an unauthenticated user based on the existence      of a                      persistent HTTP cookie. This option is intended for pages and portlets that are visible            to anonymous users. An example is the Remember me on this computer option during          login. This option generates the com.ibm.portal.RememberMe cookie.If a user                    previously authenticated to WebSphere Portal and then returns with the                                  com.ibm.portal.RememberMe cookie, the user is "identified" and the content                     displays. If a user attempts to access WebSphere Portal without the                             com.ibm.portal.RememberMe cookie, the user is asked to authenticate before the                  content is displayed.
    CAUTION:
    Do not set the Access level to identified for the Login portlet. This action causes problems     when a user logs in to WebSphere Portal.
  • I have created a page called test,with friendly url :testpage. I have set authencation level to identified.  
      
  • Since you checked rememberme option,now you can login into the page directly with out entering crendential.

          http://wpportal85.sample.com:10039/wps/myportal/Home/testpage