Calling a LES Webservice throw a WebSSO system

[nicolas46]

Hi !
I have an application written in Java which upload and download documents stored in my Livelink by using les-webservices. The first version of my app uses the Authentication service to get a token (base on the Livelink user login and password). Everything works fine in this version.
Now, in a new version, I have to work without the user Livelink ID and password. All I have is an ID and password of a “SiteMinder” (WebSSO).
If I use my webBrowser and go to my Livelink, the SiteMinder catch me, ask me my Site Minder ID/password and then redirect me to Livelink without asking me my Livelink login/password.
I don’t know how to reproduce this in my app. I’m successfully connected to the SiteMinder, I have a cookie but I not know what to do with this cookie to get my webservice token..
Does anyone have an idea ?
Thanks !

 

[appnair]

the SSO at livelink can be implemented very easily because livelink will by default accept REMOTE_USER or in your case HTTP_SMUSER(or whatver)
in other words livelink's auth method can basically vet you in with any variable.

Now to help you out I would try to ask these questions to the client
1)What is the livelink webserver(is it windows IIS or something else)
2)Is it protected by IWA or anonymous
3)What variable is used in haeder authentication(REMOTE_USER is default) a livelink admin should know these things or at least a web admin should know these.
4)The exposed webservices does it have IWA or is it anonymous
5)Is OTDS(Tomcat based RCS webservices auth deployed in the mix)

If 4 turns out to be IWA then your app.config has to change and you would basically write code that
leaves out userid/password.That would mean that your code is running on a computer connected to the domain controller of your org.

If 4 turns out to be anonymous ,then you would authenticate just like you do with the web gui,
but you could run into problems which are best understood by a oscripter meaning most SSO implementations look for REMOTE_USER
and I don't know if it is a hard coded value or not.

If 5 is involved you have to seek authentication based on 1 of 5 scenarios deployed at the client which requires you to patiently look at
the configuration.An internal client within the network will actually ask this authentication service.I have read they support other
header variables but do not know that intimately.

A good undesrtanding of how SSO works in IWA is usually a good start.I have several articles in my blog livelink.in that helps
SSO developers of web services but frankly I would not know how the siteminder thing could be made to work for you.

Let us know how you solved this it may be very easy or may drive you nuts but repay the forum with anything you have learnned
Good Luck


Well, if I called the wrong number, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937
Certified OT Developer,Livelink ECM Champion 2008,Livelink ECM Champion 2010

http://www.tek-tips.com/faqs.cfm?fid=2884

http://www.linkedin.com/in/appunair

http://www.livelink.in

 

[nicolas46]

Thks for your reactivity Appnair !

1)What is the livelink webserver : IIS (on a Windows Server 2003)
2)Is it protected by IWA or anonymous : Anonymous
3)What variable is used in haeder authentication : HTTP_SM_USER (LDAP Authentication)
4)The exposed webservices does it have IWA or is it anonymous : Anonymous
5)Is OTDS(Tomcat based RCS webservices auth deployed in the mix) : I'm not sure to understand this part :/

We are trying to pass the SiteMinder cookie into the soap header, i will keep you inform.

 

[appnair]

Try a simple java class file or C# file before trying with a utility like SOAP UI or things like that.
Your end points to the WSDL should be the internal webservices the org has nothing has to change
Just before you try to establish a session with livelink which is what you are doing with that authentication
piece,execute a webrequest where you are authenticatedd by siteminder a.k.a your browser session now has the cookie
if you do not know use the method by whch you hardcode the userid/password in your URL like in this article

http://appukili.wordpress.com/2013/...n-on-or-login-with-cookie-equivalent-of-lapi/

Now what you have to really understand is if RCS/OTDS is not present the COOKIE issued to the browser is the same thing as the TOKEN
you get within web services.

You asked what RCS/OTDS is that is basically a middleware running on TomCat. OT makes a lot of integrations so to pass a user logged in a company portal
to SAP,SP,Livelink and what not they designed this.Most companies just using livelink don't need RCS nor is it easy to set it up very easy and correctly implement it.
Simply put my evaluation of it leaves much to be desired IMHO it will take about 2 more years to work out the kink and many orgs will have serious difficulties of it running in Tomcat.

If RCS was present a internal webservices guy would just ask RCS (it has a auth wsdl) for the token and use that in his WS code.In your case you are outside so improvise.

Another thing that may bite you is almost very livelink out there is exposed thru a HW load balancer ,so for your attempts you should focus on a single livelink server or its IP address.Once your code starts working make sure your code gets to a livelink pool that is "sticky" because the cookie has the IP of the client by default.


Well, if I called the wrong number, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937
Certified OT Developer,Livelink ECM Champion 2008,Livelink ECM Champion 2010

http://www.tek-tips.com/faqs.cfm?fid=2884

http://www.linkedin.com/in/appunair

http://www.livelink.in