- Implementing Single Sign On

WOW supports single signon (SSO) for both WOW based applications and external applications interfacing with WOW. External applications can be developed in any language and interface with WOW applications thru a database and/or a URL.

External Applications to WOW with SSO

External applications may authenticate users with a variety of techniques including LDAP, database driven, operating system profiles, or authorization lists. To achieve SSO when invoking a WOW application, the external application may pass user credential in a calling URL string. WOW can utilize “runtime parameters” and accept a user id and password on the URL and automatically sign the caller in to the WOW application. While this approach may be acceptable in an internal “trusted” network environment, security risks exist passing userid and password information in “clear text” across the network.

When additional security is needed, an “expiring ticket” approach is recommended. This technique involves the external application generating a “ticket number” prior to calling a WOW application. The ticket number is inserted into a mutually available and secured authentication database and passed along with the user information on the URL call to WOW. The WOW application will authenticate using the ticket number and then immediately “expire” the ticket by removing it from the database. An analogy is being given a ticket to enter a sports event, upon entry, the ticket is ripped up and is unusable until another ticket is issued.

SSO Processing Example Using a Ticket Number

This technique enables a secure SSO environment but requires some setup by the external programs.

• 1. A user “Joe” signs on an external application (step #1). The external application is running on a server with an IP address of 192.159.13.20. From the external application, the user clicks on a link or button to run a WOW application.

  2. As part of this processing, the external application generates a unique ticket number and updates Joe’s record with the ticket number of 50929714 (step #2). See details on how to generate ticket numbers.

  3. The external application then invokes a WOW application using a URL such as the one shown here: http://wowserver/wow/run?id=14&ticket#=78139919&user=Joe

  4. A WOW authentication operation uses the ticket# and user to authenticate and “expire” the ticket#.

  5. An additional security measure can optionally be used to verify the invoking server is authorized by checking the caller IP address. In this example, the invoking IP is retrieved and used to further verify and secure access. An invoker would have to have an IP address of 192.159.13.20 to be allowed access.

SSO Processing Example Using a UserId and IP

This technique doesn’t use the ticket number technique and doesn’t require any special security setup by the calling external programs but has some risk associated with the calling IP address being “spoofed”.

• 1. A user “Joe” signs on an external application (step #1). The external application is running on a server with an IP address of 192.159.13.20. From the external application, the user clicks on link or button to run a WOW application.

  2. The external application then invokes a WOW application using a URL such as the one shown here: http://wowserver/wow/run?id=14&user=Joe

  3. A WOW authentication operation uses the userid and also verifies the invoker has an IP address of 192.159.13.20.

Generating a Ticket Number

The SSO Ticket number SSO approach allows any database to be used as the authentication database and any field as the ticket number field. Likewise, a number of approaches can be used to generate a ticket number such as:

• 1. Using a timestamp value.

  2. Random number.

  3. Database identity field.

  4. Internal hash values or encrypted values.

  5. Other user defined values.

The key is ensuring a ticket number and userid value that cannot be determined by outside users. It is advised that ticket numbers be generated at the time a navigation request is made.

WOW Applications with SSO

SSO with WOW applications is straight forward and easy to implement. Authentication operations can by default be “shared” between applications. Simply select the same SQL authentication operation in the applications that should utilize SSO.