Authenion Documentation
Release Notes
Release: 2025
Distribution: April 2025
Version: Authenion - 3.0
Software Download: LikeMinds Helpdesk portal
Read: Release Summary, Features & Enhancements, Fixes.
Release: 2024
Distribution: April 2024
Version: Authenion - 2.0
Software Download: LikeMinds Helpdesk portal
Read: Release Summary, Features & Enhancements, Fixes.
Getting Started
1. Introduction
Authenion product from Like Minds is aimed towards delivering a secure Single Sign-On (SSO) experience for Enterprise applications from Oracle, IBM, SAP and other custom applications (java, php, .net, etc.,) that supports HTTP headers as their last mile integration and Single Sign-On. Authenion is a stand-alone product and can be installed on any physical/virtual Linux servers either on-premise/cloud or both. Authenion integrates with standard OpenID Connect providers in the market for authentication related events.
2. How does Authenion work?
Integration mechanism
Authenion as a standalone product, must be integrated with your Enterprise/Custom applications & with your Identity Provider (IdP) to complete the 'first mile and last mile integrations' for authentication and Single Sign-On (SSO). Authenion supports integration with OpenID Connect (OIDC) enabled Identity Provider and with a wide range of enterprise & custom applications.
The 'first mile' integration involves connecting with your identity providers, which Authenion uses to receive claims after user's authentication sessions. The claims are sent to Authenion from the Identity Provider (IdP) through OpenID Connect (OIDC) tokens.
The 'last mile' integration involves Authenion integration with end-user's applications where Single Sign-On (SSO) will be enabled.
3. Enterprise Deployment Model
Authenion provides a Gateway architecture for end-user's applications, that supports Header variables for last mile integration and Single Sign-On. In the gateway model, the user's request is initially directed to Authenion and then Authenion grants or denies access to the request based on the application resource protection type.
This deployment model can be set up quickly without disrupting the applications. Authenion will be installed on separate servers from the application web servers.
With the fewer components in the architecture, it is easy to manage. All transactions are logged, and makes it easier for security audit purposes.
4. What can I Configure with Authenion?
Authenion includes a wide range of configurations from its administration console in first-mile & last-mile integration approach. The following are the configurations we can perform in the console.
| Authenion Configurations | Requirements |
|---|---|
|
Entry for end-user's applications in Authenion |
|
|
Connecting with your Identity Provider (IdP) for Authentication |
|
|
Connecting with your LDAP Authentication Provider for Email, SMS and TOTP Authentication |
|
|
Fully-qualified domain name assigned to access applications in the gateway model |
|
|
End-user's application details (server/port information) |
|
|
URI components of the end-user's applications |
|
|
Header variables containing user info for the end-user's application's last-mile integration and Single Sign-On |
|
|
Authenion component responsible for config-data exchange from admin console to authenion server and vice versa. The default port is ‘8090’ & it uses ‘https’. |
System Requirements
The following requirements should be met for Authenion installation. Authenion qualifies & certifies the following configurations, that they are compatible with the product. Authenion supports IPv4 addressing.
Installation
This section provides instructions for installing, configuring & starting/stopping Authenion product. Authenion can be installed on the Linux servers. For the System requirements, please visit System Requirements section.
1. Pre-requisites
Install a supported Java software with the JAVA_HOME environment variable set.
The JAVA_HOME variable must be set representing the location of your Java installation.
2. Install Authenion
Request or download the Authenion product distribution file and a valid license from the Authenion support portal or by contacting your account manager at LikeMinds.
Install Authenion by extracting the authenion-3.0.zip file into any desired user directory Eg:- “/home/user” directory in the Authenion server.
After extracting the zip file, the folder structure should appear as shown in the table below.
Download & extract the distribution zip into the installation directory ‘/home/user’
<authenion_install_dir>: /home/user/authenion/
- authenion
- bin
-
- config
- deploy
- logs
-
- server
-
- work
Copy the obtained license file “authenion.lic” to the Authenion server and place it in the <authenion_install_dir>/config directory.
|
Distribution ZIP file |
|
|
File system after extraction |
|
|
Directory Structure |
|
3. Setup Authenion
Authenion installation can be done on both Linux and Windows environment. Below are the steps for each:
Linux Environment :
Navigate to the following directory in the Authenion server.
Execute the following command to grant permission.
Run the setup command.
Read and accept the Software Terms & Conditions. This will complete the setup process.
Note: In case if the process fails to complete the setup, you can re-run the setup script to complete it.
Windows Environment :
Navigate to the following directory in the Authenion server.
Run the setup command.
Read and accept the Software Terms & Conditions. This will complete the setup process.
Note: In case if the process fails to complete the setup, you can re-run the setup script to complete it.
4. Start & Stop Services
Linux Environment :
To Start the Authenion instance, navigate to the “<authenion_install_dir>/bin” directory and run the ‘start-instance.sh’ command.
To Stop the Authenion instance, run the ‘stop-instance.sh’ command.
Check the status of the Authenion application, by navigate to the “<authenion_install_dir>/bin” directory and executing the ‘status.sh’ command.
Note: In Authenion-3.0, we have the option to start and stop each service individually.
Windows Environment :
To Start the Authenion instance, navigate to the “<authenion_install_dir>/bin” directory and run the ‘start-instance.bat’ command.
To Stop the Authenion instance, navigate to the “<authenion_install_dir>/bin” directory and run the ‘stop-instance.bat’ command.
Check the status of the Authenion application, by navigate to the “<authenion_install_dir>/bin” directory and executing the ‘status.bat’ command.
Note: In Authenion-3.0, we have the option to start and stop each service individually.
5. Enable Authenion as a Windows Service
Window Environment :
Stop the Authenion instance.
Ensure the Authenion application is not running before proceeding.Navigate to the wrapper directory:
authenion\bin\wrapperUpdate Java home path:
OpenAuthenionWindowsService.exeusing a text editor .
Modify the Java home path to match your system's current Java installation.Set up Authenion as a Windows service:
Run the script:install-WindowsService.batStart the service:
Open Services (run as Administrator).
LocateAuthenionService.
Right-click and select Start.
6. Authenion Health-check
To check the Authenion status through the heartbeat URL, enter the following URL in the browser. This can be used for monitoring the Authenion services.
7. Import Identity Provider’s Certificate into Authenion Trust Store
The following steps will guide you to import the Identity provider’s certificate into the Authenion trust store.
Export the SSL Certificate from the Identity Provider (PingFederate, PingOne, AzureAD, etc.,) and place the certificate anywhere inside “<authenion_install_dir>” in the Authenion server.
Run the following command in the Authenion server to install the Identity Provider’s certificate.
8. Import SSL Certificates for Authenion (optional)
Authenion allows you to install your organization’s signed certificates. The certificates should be in the .crt & .key files format. To place your organization’s certificate in Authenion, follow the steps below.
If you have the certificate & private key in pkcs format, move the certificate to the Authenion server & run the following commands.
Copy the .crt & .key extracted in the previous step and place it in “<authenion_install_dir>/server/conf/certs” directory.
The above steps can be repeated during the Authenion certificate renewal process.
Note: This setup is optional. The Certificates can also be installed on load-balancer servers.
Launching the Authenion Admin UI Console
To launch the Authenion Admin UI console, we provide a standalone utility (authenion-admin-xx-version.zip) that can run independently of containers operating on its own server. You can launch the Authenion admin console using either the OIDC provider or the standalone mode.
1. Pre-requisites (for both Linux and Windows)
Download the File:
Download the `authenion-admin-xx-version.zip` file and place it in the application server where our Authenion-EIK is deployed.
Extract the File:
-
Unzip the `authenion-admin-xx-version.zip` file.
-
After extraction, you will see only one file: authenion-admin-xx-version .
2. OIDC Provider for Authentication to Launch Authenion Console
Open a terminal on your Linux or windows server where the `authenion-admin-xx-version.zip` file is located.
-
Make sure the `authenion.p12` file is in the same directory.
-
Use the `cd` command to go to the directory where both files are present.
-
Run the following command in the terminal to execute the utility and launch the Authenion UI Admin console:
-
Once the execution is successful, you will be redirected to the Authenion Admin Console.
java -jar authenion-admin-xx-version.zip com.authenion.sso.authenionadmin.AuthenionAdminApplication
--authority=https://hostname/TenantId/v2.0 --client_id=Applicationclientid --redirect_uri
=https://<authenionhostname>:9898 --scope=api://<Applicationid>/openid --prompt=login
Note: Please ensure that the redirect_uri used in the command is configured in the OIDC provider.
3. Using Local Authentication to Launch Authenion Console
To launch the Authenion console using local authentication instead of an OIDC provider, follow these steps:
Execute the Command:
Run the following Java command to enable local authentication:
java -jar authenion-admin-xx-version.zip com.authenion.sso.authenionadmin.AdminApplication
--localAuthEnabled=true --issuerUrl=https://servername:9898 --adminPassword=anypassword
Note: You can set the password using an environment variable. Ensure the password is strong, including special characters like % or $ for enhanced security.
Login Information:
After executing the command, use the following login credentials:
Username:Administrator
Password:The password you specified in the command (e.g., anypassword)
Console Interactions & Configurations
This section describes the UI of Authenion (Admin Console) and its interactions and provides steps for accessing and configuring it. Access the Authenion UI by clicking Administrative Console.
1. Dashboard / Applications
The Dashboard / Applications page lets you view, create, or modify the applications we protect. The total protected applications will be displayed in the Dashboard Application’s tab. It also lets you access the Identity Provider Configuration page next to the Applications tab and access the sidebar menu for other required configurations.
2. Import - Getting config-data into the UI
The Import button in the Dashboard page lets you get the data into the UI.
The Import page has two operations:
Fetch Function: The Fetch function is used to get the data from your Authenion Server. It automatically retrieves all the Authenion config data and makes it available in the Authenion UI. It uses the Authenion Instance plugin which is running on the Authenion server.
Upload Operation: The Upload operation is used to load the data from your local file system into the UI manually through any previously extracted configs.
Retrieving Config data from existing Authenion Instance
For first time installation & configuration of Authenion, skip this step and continue with the next section – Identity Provider Configuration.
If you have an Authenion server up & running already, you can bring the configuration data into the UI through the Import function.
Click Import in the Authenion Dashboard.
In the Import page, enter the detail for Authenion Instance. For example, authenion.example.com
Click Fetch.
This will bring your Authenion configuration data from Authenion server to the UI.
3. Identity Provider Configuration
The Identity Provider Configuration page allows you to connect with your Identity Provider / OIDC Token Provider. This configuration includes details such as Token Providers OAuth/OIDC endpoints, Authenion Client registration details, Claims to obtain from the Token Provider. It includes additional configuration for Authenion such as; Authenion Instance, Domain & Session duration configurations.
Adding Identity Provider Configuration
Click Identity Provider Configuration in the Dashboard page.
Enter the following details & click Save to configure your Token Provider with Authenion for authentication.
OpenID Connect Provider - Settings
Authorization URL
- https://idp.example.com/authorize
Token URL
JWKS URL
https://idp.example.com/jwks
Logout URL
https://idp.example.com/idp/logout
Issuer
https://idp.example.com
Userinfo URL
https://idp.example.com/idp/userinfo (Optional)
Audience
authenion
Client ID
Registered value client_id from your IdP
Client Secret
Registered client_secret value from your IdP
Scope
openid (Multiple scopes can be added)
Claims
Claims from Identity Provider (sub, username, email, etc.,)
Authenion Instances
https://authenion.example.com:8090
Note: If the Authenion is configured in cluster, enter the Authenion Instances value from all the Authenion servers. The default port is 8090 and enabled with HTTPS. This field supports multiple entries.
Cookie Settings
Cookie Domain
example.com
Session Duration
3600
| Configurations | Values |
|---|---|
|
|
|
|
|
https://idp.example.com/token |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Configurations | Values |
|---|---|
|
|
|
|
|
|
4. LDAP Authentication Provider
LDAP authentication is a process where user credentials are validated against a directory services, to grant access to resources. It's a core part of how LDAP (Lightweight Directory Access Protocol) manages user identities and permissions within an organization.
Multi-Factor Authentication: MFA is a security method that requires users to provide two or more verification factors to access a resource. MFA enhances security by reducing the risk of unauthorized access beyond just using a username and password.
Adding LDAP Authentication Provider Configuration
Click LDAP Authentication Provider Configuration in the Dashboard page.
Enter the following details & click Save to configure your LDAP Provider with Authenion for authentication.
LDAP Authentication Provider - Settings
LDAP Server
Bind DN
Bind Password
Configured Bind Password from LDAP
Base DN
Configured Base DN from LDAP
Search Base
Configured Search Base from LDAP
Search Subtree
checkbox
Return Attributes
Configured the Return Attributes from LDAP
Username Attribute
Configure Username Attribute
Read Timeout
3000
Client Secret
Registered client_secret value from your IdP
OIDC Virtual Server
authenion.example.com
OIDC Virtual Server Port
443
Use SSL
checkbox (Enable/Disable HTTP or HTTPS)
Include Claims in ID_Token
checkbox (Enable/Disable Claims in ID_Token)
Enable MFA
checkbox (Enable/Disable MFA)
MFA Settings
Email
SMS
TOTP
checkbox (Enable/Disable TOTP)
SMTP Configurations
From Address
Email Server
Mail Port
587 (for TLS)/465 (for SSL)
Mail Protocol
smtp/smtps
Username
example.com
Password
password
Connection Timeout
8000
Ldap Attribute
mail
SMTPS Authentication
checkbox (SMTP or SMTPS)
Enable Encryption
checkbox (Enable/Disable TLS or SSL Encryption)
Twilio Settings
Account SID
Auth Token
From Number
Registered From Number from Twilio
SMS Service
twilio
Ldap Attribute
mobile
TOTP Settings
Grace Time
Skew Windows
Ldap Attribute
totpSecret
| Configurations | Values |
|---|---|
|
|
ldaps://ldap.example.com:636 |
|
|
Configured BindDN from LDAP |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note: Commonly supported LDAP providers are PingDirectory, Microsoft Active Directory, etc.
Email: When this checkbox is enabled, a one-time password is sent to the user's registered email address for authentication.
SMS: When this checkbox is enabled, users receive a one-time password via SMS, using Twilio integration for message delivery.
TOTP: When this checkbox is enabled, users can authenticate using time-based one-time passwords through apps like Google or Microsoft Authenticat
| Configurations | Values |
|---|---|
|
|
checkbox (Enable/Disable Email) |
|
|
checkbox (Enable/Disable SMS) |
|
|
|
From Address: specify the email address used for sending notification emails.
Email Server: SMTP server for sending emails.
Mail Port: SMTP server port.
Ldap Attribute: The LDAP attribute that stores the user’s email address. This value is retrieved during authentication to send one-time passcodes (OTPs) via email.
| Configurations | Values |
|---|---|
|
|
donot-reply@example.com |
|
|
example.com |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Account SID: A Twilio Account SID is a 34-character alphanumeric identifier unique key that is used to identify a specific Twilio Parent Account or Subaccount.
Auth token: Auth Token is a secret password, used to authenticate requests to the Twilio REST API.
SMS Service: SMS provide or service being used.
Ldap Attribute: The LDAP attribute that stores the user’s mobile number. It is used to deliver OTPs via SMS during the multi-factor authentication process.
| Configurations | Values |
|---|---|
|
|
Registered Account SID from Twilio |
|
|
Registered Auth Token from Twilio |
|
|
|
|
|
|
|
|
|
Grace Time: Refers to the period after a TOTP code has technically expired during which it can still be used for authentication, allowing for minor delays in code entry. The default grace time is either 30 or 60 seconds.
Skew Windows: Refers to the allowance of a certain number of time intervals (e.g., 30-second periods) that are considered valid for authentication, even if there is a slight discrepancy between the client’s and server’s time.
Ldap Attribute: The LDAP attribute where the TOTP (Time-based One-Time Password) secret key is stored for the user. This is used to validate OTPs generated by authenticator apps like Google Authenticator or Microsoft Authenticator.
| Configurations | Values |
|---|---|
|
|
30 or 60 |
|
|
1 |
|
|
|
5. Sidebar
The Sidebar Menu has the following Configurations
Applications
Virtual Servers
Application Hosts
Header Mappings
Resources
Authenion Status
EIK Configurator
Logout
Sync
Export
6. Applications
Applications sidebar represent the protected Applications to which the user requests are sent. Each application will have a dedicated entry in the Dashboard/Applications tab. Applications are configured with Virtual Servers, Resources, Header Mappings & corresponds to a single Application Host (target application/backend server).
Adding an Application
Adding a protected application in Authenion has the following pre-requisites. Complete the setup for the below configurations before you create a new application.
-
Virtual Servers (Section 6)
-
Application Hosts (Section 7)
-
Header Mappings (Section 8)
-
Resources (Section 9)
To add an application, click New Application on the Dashboard page.
Enter the following details:
Click Save to complete the configuration for a new application.
| Configurations | Values |
|---|---|
|
Application ID |
Unique ID (auto generated) |
|
Application Name |
App |
|
Virtual Servers |
AgileVirtualServer (Configured in Section 6 ) |
|
Header Mappings |
Headers (Configured Section 8) |
|
Protected Resource |
AgileProtected (Configured Section 9) |
|
Excluded Resource |
AgileExcluded (Configured Section 9) |
|
Application Hosts |
AgileHost (Configured Section 7) |
|
Authenion Instances |
https://authenion.example.com:8090 (auto populated) |
|
Enable |
Checkbox (Enable/Disable Application) |
|
Enable Host Headers |
Checkbox (Enable/Disable Host Headers) |
Configure Authorization rule for your Application
| Configurations | Values |
|---|---|
|
Enable Authorization Engine for this Application |
Toggle (Enable/Disable the Rules for the Application) |
|
Rule |
Configure Authorization Rules for the Application (optional) |
|
Context Path |
|
Configure Security Headers for your Application
| Configurations | Values |
|---|---|
|
Override Defaults |
checkbox (Enable/Disable Override Defaults) |
|
Access-Control-Allow-Headers |
DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range (Allows specific headers in CORS requests) |
|
Access-Control-Allow-Methods |
|
|
Referrer-Policy |
|
|
Strict-Transport-Security |
|
|
X-Content-Type-Options |
|
|
X-Frame-Options |
|
|
X-XSS-Protection |
|
|
Content-Security-Policy |
|
Authenion Dashboard shows the number of Applications configured.
7. Virtual Servers
Virtual Servers enables you to protect multiple applications and their hosts. The Virtual Server is a combination of hostname and port number and is defined by example.com:443.
Adding a Virtual Server
Click Virtual Servers on the sidebar menu.
Click the “+ New Virtual Server” button on the Virtual Servers page.
Enter the following details to create a Virtual Server for your application.
Unique ID (auto generated)
AgileVirtualServer
authenion.example.com (protected application domain or hostname)
8443
checkbox (HTTP or HTTPS)
Click Save to complete the Virtual Server configuration.
For example:
| Configurations | Values |
|---|---|
|
ID |
|
|
Name |
|
|
Host |
|
|
Port |
|
|
Use SSL |
|
8. Application Hosts
Applications Hosts are the target applications or the backend application servers that Authenion is protecting through the gateway architecture. The target application’s access requests are validated by Authenion before they are forwarded.
Adding Application Hosts
Click Application Hosts on the sidebar menu.
Click the “+New Application Host” button on the Application Hosts page.
Enter the following details to create an Application Host for your target application server.
Unique ID (auto generated)
MyAppBackend
apex.likemindscloud.com:8080 (protected application/webserver details)
checkbox (HTTP or HTTPS)
checkbox (Enable/Disable Session Persistence)
checkbox (Enable/Disable HTTP Proxy with HTTP/1.1 )
-
Click Save to complete the Application Host configuration.
For example:
| Configurations | Values |
|---|---|
|
ID |
|
|
Name |
|
|
Host |
|
|
Use SSL |
|
|
Enable Session Persistence |
|
|
HTTP1.1 |
|
9. Header Mappings
Header Mappings sends the User attributes to the target application after authentication. The target application will send the attributes for validation purposes. The Header Mappings will receive the user attributes from the Claims which are sent by the Token Provider. Once the claims are received, it is then made available as HTTP-Headers to the target applications.
Adding Header Mapping
Click Header Mappings on the sidebar menu.
Click the “+New Header Mapping” button on the Header Mappings page.
Enter the following details to create a header mapping for your target application.
Unique ID (auto generated)
MyAppHeaders
username
email
-
Click Save to complete the Header Mappings configuration.
For example:
| Configurations | Values |
|---|---|
|
ID |
|
|
Name |
|
|
App Header |
OIDC Claims |
|
USER_NAME |
|
|
USER_MAIL |
|
10. Resources
Resources are the components/URI of the applications. The resources can be mapped as either protected or excluded resources in an application.
Adding Resources
Click Resources on the sidebar menu.
Click the “+New Resource” button on the Resources page.
Enter the following details to create a Resources for your target application.
Unique ID (auto generated)
MyAppResources
/ords/** (Resource Path starts with a ‘/’. Multiple resource paths can be added)
Toggle (Enable/Disable Authorization Rules)
The Authenion Rules Engine allows you to define and manage access policies for your applications and resources. It enables precise control over user access conditions and content modifications. (optional)
-
Click Save to complete the Resources configuration.
For example:
| Configurations | Values |
|---|---|
|
ID |
|
|
Name |
|
|
Resource Path |
|
|
Enable Authorization Rules |
|
|
Rule |
|
11. Authenion Status
The Authenion Status page shows the health of the Authenion Instance that is running in the Authenion server. This status page also displays your authenion license information.
Click Authenion Status on the sidebar menu to view the status of your Authenion application.
12. Sync & Export
Sync
The Sync is a manual operation that lets you push all the configuration data from the Authenion UI back to the Authenion server. When you install Authenion for the first time, there will be no configuration data in the UI or in the Authenion server. The Sync operation should be triggered for both new configurations & modifications that we perform in the Authenion UI. Any changes which are not pushed from the UI to Authenion server will not be reflected until Sync operation is triggered manually.
Note: Add the JWKS endpoint to the 'agent-authorization.properties' file in the '/config/' directory.
The Sync status will throw an error status when it can't reach the Authenion instance in the Authenion server.
Export
The Export button is a quick operation that lets you download the current configurations from the UI. The exported data will be in the format of a JSON file. This file acts as a backup for the Authenion configuration data. The downloaded file name is export.json.
13. User-Customized Templates
Email Page Templates
Authenion enables customization of user-facing pages, such as emails and forms, using HTML, CSS, JavaScript, and localization files with dynamic placeholders for messages and user-specific data.Templates are located in
1. email-forgotUsername.html
Purpose:This email template is sent to users who have forgotten their username.
Use:This email is sent when a user requests account recovery. It provides the username(s) associated with the registered email address, enabling the user to log in without creating a new account.
2. email-otpMessage.html
Purpose:This email template is used to send a One-Time Password (OTP) to users during login process.
Use: As part of multi-factor authentication (MFA), this email sends a one-time password (OTP) to verify the user’s identity and ensure secure login.
3. email-passwordChanged.html
Purpose:This email template is sent to confirm that the user’s password has been successfully changed.
Use:This email confirms the password change and helps detect unauthorized activity. If the password change wasn’t requested, it alerts the user to take immediate action to secure their account.
4. email-resetPassword.html
Purpose:This email template is used to send a password reset link to the user’s registered email address.
Use:This email provides a time-sensitive link to help users securely reset their password when a user forget their password or want to create a new one.
Login Page Templates
Login page templates in Authenion are located at <authenion_install_dir>/config/html/. These templates control the appearance of user-facing pages such as the login screen, forgot password form, and logout confirmation. You can customize these templates to match your branding and support multiple languages using message properties in the <authenion_install_dir>/config/html/locale/messages_en.properties file.
1. login.html
Purpose:This is the main login page where users enter their LDAP username and password.
Use:This page authenticates users by submitting their credentials to the server and provides links to reset a forgotten password or recover a username.
2. forgotPwd.html
Purpose:This page allows users to request a password reset link by entering their username.
Use:It sends a password reset email to the user with a time-limited link, allowing them to securely update their password.
3. signout.html
Purpose:This page is displayed after the user successfully logs out, confirming the logout action.
Use:It confirms the successful logout and provides a link to return to the homepage.
4. updatePassword.html
Purpose:This page allows users to set a new password after clicking the reset link sent to their email.
Use: It enables users to securely update their password, verifies that both passwords match, and submits the data to the server via AJAX. CSRF protection is included to ensure the request is secure and valid.
5. forgotUsername.html
Purpose:This page allows users to recover their forgotten username by entering their email address.
Use:The user submits their email address, and the system sends their registered username to the provided email address.
6. changedPwd.html
Purpose:This page is displayed after the user successfully changes their password.
Use:It notifies the user that their password has been successfully updated and provides a link to redirect them to the login page.
7. changePwd.html
Purpose:This page provides a form for users to change their password by entering their current password, new password, and confirming the new one. It includes validation to ensure the new passwords match.
Use:It allows users to update their password. After submission, the password is changed if successful, and appropriate success or error messages are displayed.
8. deviceRegistered.html
Purpose:This page confirms successful registration of an authenticator app for two-factor authentication (2FA). It displays a checkmark icon, a success message, and a "Close Window" button.
Use:This page appears after the authenticator app is successfully linked to the user account. It confirms completion of the registration and includes a "Close Window" button for the user to exit and continue using the application.
9. deviceOtp.html
Purpose:This page provides a secure OTP input form for verifying a user’s identity during multi-factor authentication (MFA). It supports TOTP and device-based methods like SMS or email, showing masked details to indicate the delivery method.
Use:This page appears when the user needs to enter a 6-digit OTP sent to their registered device or generated by an authenticator app. The user enters the code in separate fields, and upon submission, the OTP and device ID are sent to the server via AJAX for verification. If successful, the user is redirected to the /mfa/registered confirmation page; otherwise, they are redirected to /mfa/commit.
10. deviceSelection.html
Purpose:This page allows users to select a method for Multi-Factor Authentication (MFA), such as SMS, Email, TOTP. Once an option is selected, it is stored and a "Proceed" button appears for the user to continue.
Use:This page is part of the authentication process, allowing users to choose their MFA method. After selection, the form is submitted with the device ID to verify the method and continue to the next step.
11. enrollDevice.html
Purpose:This page is used to enroll a user in Multi-Factor Authentication (MFA). It displays a QR code for scanning with an authenticator app or allows manual entry of a secret key. After scanning or entering the key, the user submits the form to verify their OTP.
Use:This page is shown during the MFA enrollment process, where users set up an authenticator app by scanning the QR code or entering the secret key. After setup, the user proceeds to verify their OTP to complete the enrollment.
12. error.html
Purpose:This page displays a basic error message when an unexpected issue occurs, informing the user of the problem and advising them to try again later. It serves as a fallback page when something goes wrong in the system.
Use:This page handles unexpected errors or system issues, informing the user that something went wrong and advising them to try again later. It serves as a generic error page when no specific error message is available.
Connect with your Identity Provider
This configuration section is the 'first mile integration' of the Authenion integration mechanism. This section guides you to configure Identity/Token Providers in the Authenion administration console. The integration will be established through OAuth and OpenID Connect protocols.
1. PingFederate as the Token Provider
Pre-requisites
PingFederate application with IdP and OAuth/OIDC roles enabled.
Authorization server setup in PingFederate OAuth server setting.
A configured Ping Federate IdP adapter and/or authentication policy contract policy if required for authentication and grant mapping.
OAuth / OIDC Configurations
This setup will manage the configurations related to the OAuth client.
Create a new Client in PingFederate for Authenion.
Value to identify Client in PingFederate
Unique value to identify clients in PingFederate
A secret value known only to this Client and PingFederate
https://<authenion.example.com>:<port>/ssolibrary/oidc/callback
Enable checkbox for bypassing authorization consent screen
Enable Authorization Code checkbox
Select the access token to map with this client
Select the OpenID Connect policy created earlier
Review the Client configurations and click Save.
Map an OpenID Connect Policy to this Client with the following information:
- username
Replicate the configurations if PingFederate is configured in a cluster.
| Configurations | Values |
|---|---|
|
Client Name |
|
|
Client ID |
|
|
Client Secret |
|
|
Redirect URIs |
|
|
Bypass Authorization Approval |
|
|
Allowed Grant types |
|
|
Default Access token manager |
|
|
OpenID Connect Policy |
|
For example:
In OpenID Connect Policy Management tab, create/modify the policy and add the attributes that need to be sent through id_token and userinfo endpoint.
Add the following attributes that need to be returned in the id_token and/or as claims through userinfo endpoint.
The above attributes can be mapped with their respective Scopes in the next page. For example, openid scope.
2. Microsoft Entra ID (formerly Azure Active Directory) as the Token Provider
Pre-requisites
Azure account with valid subscription.
App registration.
Client Secrets and Claim mappings.
Entra ID Configurations
The following will register Authenion as an OAuth/OIDC client application in Microsoft Entra ID (formerly Azure Active Directory) & establish a unidirectional trust relationship between Authenion and Microsoft identity platform. When the registration finishes, the Azure portal displays the Authenion application registration’s overview pane. You can find the Application ID which will also be used as the client_id when we connect Authenion & Entra ID through OAuth/OIDC.
App Registration
Login to the Azure portal.
In the Manage Microsoft Entra ID (formerly Azure Active Directory) section, click on view.
Click on +Add and then click on App Registration.
Give a display name for the app.
Select the tenant in which you want to register the Authenion application.
Add the following Authenion URI in the Redirect URI field. This is the location where Entra ID redirects the user’s request post authentication.
Click on Register.
Redirect URI: https://<authenion.example.com>/ssolibrary/oidc/callback
Token Configuration
From the side menu, click on Token configuration.
Click on + Add optional claim.
Select ID
Check the attributes - email, preferred_username.
Click on Add.
Note: In case a dialogue appears, check the box which says Microsoft graph.
API Permissions
From the side menu, click on API permissions.
Click on + Add a permission.
Click on Microsoft Graph.
Click on delegated permissions.
Under "Openid permissions", check email, openid and profile.
Under "User", check "User.Read".
Click on Add permissions.
Certificates & Secrets
From the side menu, click on Certificates & secrets.
Click on Client secrets.
Click on + New client secret.
Enter some description for the client.
Set the expiry for the client.
Click on Add.
Configure Azure
-
In the Azure portal, under the registered Authenion Application, configure the redirect URL for the admin UI jar.
-
Ensure the associated port is configured.
-
Example URL: `https://servername:9898`
3. Keycloak as the Token Provider
Pre-requisites
Admin access to the Keycloak Administration Console.
Create Realm for your application (optional).
If using HTTPS, a valid SSL certificate is configured to secure communications (recommended for production).
OAuth / OIDC Configurations
This setup will manage the configurations related to the OAuth client.
Create a new Client in Keycloak for Authenion-EIK.
Select OpenID Connect
Unique value to identify clients in keycloak
Value to identify Client in Keycloak
Enable the toggle to client as a confidential client
Enable/Disable fine-grained authorization support for a client
Select Standard Flow (Authorization Code Grant)
https://<hostname>:<port>/EBSAuth/handler
Review the Client configurations and click Save.
After saving the client configuration, Keycloak will generate a Client ID and a Client Secret.
Navigate to the Credentials tab to obtain the Client Secret, which is used for secure backend communication with the OIDC application in Keycloak.
In the Keycloak Admin Console, go to Client Scopes. Either select an existing scope (e.g., profile) or create a new custom scope if needed.
Under the selected Client Scope, open the Mappers tab and add a new mapper for each attribute.
- Set Mapper Type to User Attribute
- Set Token Claim Name to email
- Enable inclusion in ID token, Access token, and User Info (optional)
- Go to Clients, select your client, and assign the scope under either Default Client Scopes or Optional Client Scopes.
| Configurations | Values |
|---|---|
|
Client Type |
|
|
Client ID |
|
|
Name |
|
|
Client authentication |
|
|
Authorization |
|
|
Authentication flow |
|
|
Valid redirect URIs |
|
Mapping User Attributes to Tokens in Keycloak
Example – Add Email Attribute
3. Keycloak as the Token Provider
Pre-requisites
Admin access to the Keycloak Administration Console.
Create Realm for your application (optional).
If using HTTPS, a valid SSL certificate is configured to secure communications (recommended for production).
OAuth / OIDC Configurations
This setup will manage the configurations related to the OAuth client.
Create a new Client in Keycloak for Authenion-EIK.
Select OpenID Connect
Unique value to identify clients in keycloak
Value to identify Client in Keycloak
Enable the toggle to client as a confidential client
Enable/Disable fine-grained authorization support for a client
Select Standard Flow (Authorization Code Grant)
https://<hostname>:<port>/EBSAuth/handler
Review the Client configurations and click Save.
After saving the client configuration, Keycloak will generate a Client ID and a Client Secret.
Navigate to the Credentials tab to obtain the Client Secret, which is used for secure backend communication with the OIDC application in Keycloak.
In the Keycloak Admin Console, go to Client Scopes. Either select an existing scope (e.g., profile) or create a new custom scope if needed.
Under the selected Client Scope, open the Mappers tab and add a new mapper for each attribute.
- Set Mapper Type to User Attribute
- Set Token Claim Name to email
- Enable inclusion in ID token, Access token, and User Info (optional)
- Go to Clients, select your client, and assign the scope under either Default Client Scopes or Optional Client Scopes.
| Configurations | Values |
|---|---|
|
Client Type |
|
|
Client ID |
|
|
Name |
|
|
Client authentication |
|
|
Authorization |
|
|
Authentication flow |
|
|
Valid redirect URIs |
|
Mapping User Attributes to Tokens in Keycloak
Example – Add Email Attribute
Application Integration with Authenion
Once you have connected Authenion with your Identity Provider, you can integrate end-user's applications into Authenion for Single Sign-On (SSO). This configuration is the 'last mile integration' mechanism.
Authenion supports a large number of proprietary or third-party applications for Single Sign-On. Following are the list of applications certified to work with Authenion:
Oracle E-Business Suite
Oracle E-Business Suite SSO made easy with Authenion
Oracle E-Business Suite (EBS) application is a special usecase for Single Sign-On (SSO). The Single Sign-On approach for Oracle EBS differ from other enterprise applications. Authenion enables SSO to Oracle EBS thorugh its plugin called 'EBS Integration Kit (EIK)'. This approach is secure & seamless and follows Oracle recommended changes on the application side.
Architecture
Configuration Steps
The following sections describes the configuration steps required for Authenion-EIK setup and Oracle EBS setup for Single Sign-On.
1. Pre-requisites
Install an Apache Tomcat / Weblogic application or any application server of your choice in a dedicated physical / virtual server
Configure the application server for SSL with a listen port (for example, 8443)
2. SSO Integration Workflow
| Tasks | Description |
|---|---|
|
Generate EIKAuth.config file |
EIKAuth.config file can be generated in Authenion Admin console with the details of the Identity Provider |
|
Generate EIK.dbcx file |
EIK.dbcx can be generated through a command line utility containing information about Oracle EBS Database |
|
Deployment of the EBS Integration Kit (EIK) |
EIK plugin should be deployed in the Apache Tomcat / Weblogic server or any other application server with necessary config files with it |
|
Identity Provider Configurations |
Register an OAuth Client with Authorization code flow in your Identity Provider for Authenion-EIK. Add user attributes such as username, email, etc., into the ID_TOKEN or Userinfo claims (The claim value you add here should match the authentication attribute in Oracle EBS.) |
|
Configure EBS System Profile parameters |
Oracle EBS system profiles for enabling Single Sign-On. These changes are done as per Oracle recommended configuration |
Generate EIKAuth.config File
The EIKAuth.config config file can be generated from the Authenion Admin console. You can access the Authenion Admin console through https://launch.authenion.com (or) on-premises.
Login to the Authenion Admin console.
On the Dashboard page, click 'EIK Configurator' on the Sidebar menu.
Select the Authentication type as 'OpenID Connect Login'.
In the 'Issuer Url' field, enter your Identity Provider's Issuer value and click 'Load metadata'. This will automatically load the required Authorization server endpoints.
Click 'Show Advanced Configuration' next to the 'Load metadata' button.
Enter the value for 'Scopes' field. For example, 'openid'. This field supports multiple values entered with a space as mentioned in the screenshot below.
Enter the details for rest of the fields as mentioned below in the table.
After entering the above values, click the 'Save' button. This will download a file named 'EIKAuth.config'.
Copy the downloaded 'EIKAuth.config' file to a temporary location in the Apache tomcat / Weblogic server. This file will be used in the EIK deployment section later.
| Configurations | Values |
|---|---|
|
Client ID |
Unique value to identify Authenion-EIK in your Authorization server. For example, EIKClient |
|
Client Secret |
A secret value known only to this Authenion-EIK client and your Authorization server. |
|
Authentication Attribute |
User attribute name (OAuth/OIDC claim) that should be returned from your Identity Provider. For example, userId |
|
Redirect URI |
Callback URL for Authenion-EIK. For example, https://eik.example.com:8443/EBSAuth/handler |
|
Context Path |
Authenion-EIK plugin's deployment filename. The default plugin filename is 'EBSAuth.war'. Therefore, the Context path should be, /EBSAuth |
|
EBS Default Homepage |
Oracle E-Business application homepage URL. The example format is, https://ebs.example.com/OA_HTML/OA.jsp?OAFunc=OANEWHOMEPAGE |
|
Cookie Domain |
Domain value of the Oracle EBS application. For example, .example.com |
|
Just-In-Time Access |
If you want EIK to perform user provisioning (Just-In-Time) to your Oracle EBS application. Default value is, false |
Generate EIK.dbcx File
You can generate the EIK.dbcx file through a command line utility. The utility 'EBSdatasource.jar' will be provided along with the Authenion-EIK installation package. The following steps will guide you through in executing the utility and generate the EIK.dbcx file.
The below pre-requisites need to be done before executing the utility.
Download the 'EBSdatasource.jar' utility file from the Like Minds Support Portal. Place the utility file in a machine (or) Local-PC.
The machine (or) Local-PC that is used to execute the utility should have a connectivity to the Oracle EBS Database server. Please do a ping/telnet test to oracledb-hostname:port to check the connectivity.
Create an application user in the Oracle E-Business suite application. Set the Username value as EIKUSER and assign 'UMX|APPS_SCHEMA_CONNECT' role to this user account.
Open an elevated command-prompt (windows) or a terminal (linux).
Navigate to the directory where you have placed the 'EBSdatasource.jar' file.
Execute the following command:
The configuration section will open as mentioned in the screenshot below:
Enter the details as mentioned below in the table.
After entering the above values, the EIKUSER will be registered. A new file named 'EIK.dbcx' will be generated in the same directory.
Copy this file to a temporary location in the Apache tomcat / Weblogic server. This file will be used in the EIK deployment section.
java -jar EBSdatasource.jar
| Configurations | Values |
|---|---|
|
Enter the connection factory class |
For example, oracle.jdbc.pool.OracleDataSource |
|
Enter the JDBC url |
For example, jdbc:oracle:thin:@oracledb-hostname:port:SID |
|
Enter APPS username |
apps |
|
Enter APPS password |
APPS user account password |
|
Enter Connection pool name |
The value should match with the EIK deployment context path. For example, EBSAuth |
|
Enter initial connection pool size |
For example, 10 |
|
Enter minimum connection pool size |
For example, 10 |
|
Enter maximum connection pool size |
For example, 25 |
|
Enter timeout check interval |
For example, 30 |
|
Enter inactive connection timeout |
For example, 30 |
|
Enter validate connection on borrow |
For example, true |
|
Enter the EIK username |
For example, EIKUSER |
|
Enter the EIK user password |
EIKUSER user account password |
|
Enter the Context Path |
Context of the EIK plugin. For example, /EBSAuth |
Deploy Authenion-EIK
This section guides you through the deployment steps for Authenion - EBS Integration Kit. This guide will show the deployment steps in an 'Apache Tomcat / Weblogic' application server.
Login to the Like Minds Support Portal and download the required binaries to complete the EIK deployment.
The following are the list of files that will be downloaded as part of the installation package.
EBSAuth.war
security.properties
log4j2.xml
EBSdatasource.jar
Login to the server where Apache Tomcat / Weblogic or your preferred application server has been installed and copy all the above files into a temporary location.
Set an environment variable 'EIK_HOME' resolving the path to the application server installation directory.
Navigate to $EIK_HOME directory. Create a new directory named 'EBSAuth'. Assign read & write privileges to the EBSAuth directory.
Obtain or download the Authenion-EIK license from the Like Minds Support portal. Copy the license file 'ebsauth.lic' and move it to a temporary location in the Apache tomcat / Weblogic server.
Copy the license file to the following directory:
Locate the EIKAuth.config & EIK.dbcx files from the temporary location (Generated and copied to Apache tomcat / Weblogic server in the previous sections).
Copy both the files to the following directory:
Locate the security.properties & log4j2.xml files from the temporary location. Copy both the files to the following directory:
Locate the EBSAuth.war file from the temporary location. Copy the file to the following directory:
Restart the Apache Tomcat / Weblogic services.
This completes the deployment of Authenion-EIK in the Apache Tomcat / Weblogic application server.
Repeat the steps above in all the servers, if Apache Tomcat / Weblogic is configured for H/A.
Following is the example for a Linux system:
Linux: export EIK_HOME=<path to Apache tomcat / Weblogic installation directory>
Add the above command to the .bash_profile file and source it.
Following is the example for a Windows system:
Windows: Open the 'Environment variables' option in System Properties. Add the system variable as EIK_HOME and set its value to the Apache tomcat / Weblogic installation directory.
$EIK_HOME/EBSAuth/
$EIK_HOME/EBSAuth/
$EIK_HOME/EBSAuth/
$CATALINA_HOME/webapps/
Note: A single Authenion-EIK deployment will connect with only one Oracle EBS Application for SSO. However, if you have requirements to connect with multiple Oracle EBS environments for SSO, you can deploy multiple instances of Authenion-EIK in the same Apache Tomcat / Weblogic server by changing the 'Context Path'. For example, you can follow the above steps 1 to 14 and deploy plugins by changing the .war filename to 'EBSAuth_DEV.war' & 'EBSAuth_PRD.war' in the Apache tomcat / Weblogic servers and point to appropriate Oralce EBS application environments.
Configure Oracle EBS System Profile options
This section will guide you to configure the system profile options that enable Single Sign-On to the Oracle E-Business Suite application. These system profile options are Oracle recommended for enabling SSO with any providers.
Login to the Oracle E-Business suite application as a 'System Administrator'
Navigate to 'System Profile' in System Administration. Edit the following system profile options as mentioned in the table:
After modifying the above system profile options, restart the Oracle E-Business suite application & database services. After successful restart of the services, you can test the Single Sign-On login.
Testing: Enter your Oracle EBS application url in a browser. The browser will redirect your request to the Identity Provider for authentication. Upon successful authentication, you will be redirected back to the Oracle EBS application homepage with your assigned roles & responsibilities.
This completes the setup for Authenion-EIK & Oracle E-Business suite integration for Single Sign-On.
| Configurations | Values |
|---|---|
|
Application SSO Type |
SSWA w/SSO |
|
Application Authenticate Agent |
For example, https://eik.example.com:8443/EBSAuth |
|
Application SSO Login Types |
Both |
|
Application SSO Auto Link User |
Enabled |
|
Application SSO LDAP Synchronization |
Disabled |
Oracle Application Express (APEX)
Oracle APEX SSO with Authenion
Oracle APEX is a web-based integrated development environment which simplifies the process of building applications and pages. It supports the use of HTTP Header variables to identify a user and to create a session for the user in Oracle APEX application.
Architecture
Configuration Steps
The following sections describes the configuration steps in Authenion & Oracle APEX application for Single Sign-On.
Pre-requisites
'First-mile' integration (connecting Authenion to an identity provider).
Firewall requirements between APEX, Authenion and IdP servers.
SSO Integration Workflow
| Tasks | Description |
|---|---|
|
Virtual Server in Authenion will be the user-facing URL of the Oracle APEX application. Virtual Server is defined by the hostname and port |
|
|
Application Host details is about the server responsible for hosting the Oracle APEX application and its components |
|
|
Headers Mappings in Authenion are used to send one or more user attribute values to Oracle APEX application as HTTP Header variables |
|
|
Resources in Authenion are the Oracle APEX application components that requires different security levels. APEX application can be configured with 'Protected' & 'Excluded' resources as per the requirements |
|
|
This setup in Authenion will register a unique entry for the Oracle APEX application |
|
|
Oracle APEX configuration that needs to be done for its application modules independently inside the Apex administration workspace |
Following are the configurations that needs to be done in the Authenion Administrative Console to onboard the Oracle APEX application for Single Sign-On.
Virtual Server
Following is an example configuration of a Virtual Server for Oracle APEX application.
Application Host
Following is an example configuration of an Application Host in Authenion for Oracle APEX application.
Header Mapping
Following is an example configuration of a Header Mapping for Oracle APEX application.
Resources
Following is an example configuration of Protected & Excluded Resources in Authenion for Oracle APEX application.
Registering an Application for Oracle APEX in Authenion
Following is an example configuration of creating an Application in Authenion for Oracle APEX.
| Configuration | Values |
|---|---|
|
Name |
Apex |
|
Virtual Server |
ApexVirtualServer |
|
Header Mapping |
ApexHeaders |
|
Protected Resource |
ApexProtected |
|
Excluded Resource |
ApexExcluded |
|
Application Host |
ApexBackend |
|
Authenion Instances |
Auto populated |
SSO Setup in Oracle APEX Application
Oracle APEX administrators can configure the available HTTP Header authentication schemes in APEX workspace to enable Single Sign-On with Authenion. The authentication schemes should be configured per APEX application and need to set its status as current. Click here to refer the Oracle Document.
Login to the Oracle APEX administrative console.
On the workspace homepage, click the App Builder icon.
Select the APEX application for which Single Sign-On needs to be enabled.
On the Application home page, click Shared Components.
Under Security, select an existing scheme or cretate a new scheme.
Modify the follwoing fields in the authentication scheme.
Scheme Type - Select 'HTTP-Header' variable
HTTP Header Variable Name - 'APEX_REMOTE_USER'
Click Save
Repeat steps 1 to 6 to enable SSO login for Oracle APEX application.
Oracle Hyperion
Oracle Hyperion SSO with Authenion
Oracle Hyperion is a centralized planning, budgeting, and forecasting tool that integrates different operational planning processes and enhances business predictability.
Architecture
Configuration Steps
The following sections describes the configuration steps in Authenion & Oracle Hyperion application for Single Sign-On.
1. Pre-requisites
'First-mile' integration (connecting Authenion to an identity provider).
Firewall requirements between Hyperion, Authenion and IdP servers.
SSO Integration Workflow
| Tasks | Description |
|---|---|
|
Virtual Server in Authenion will be the user-facing URL of the Oracle Hyperion application. Virtual Server is defined by the hostname and port |
|
|
Application Host details is about the server responsible for hosting the Oracle Hyperion application and its components |
|
|
Headers Mappings in Authenion are used to send one or more user attribute values to Oracle Hyperion application as HTTP Header variables |
|
|
Resources in Authenion are the Oracle Hyperion application components that requires different security levels. Hyperion application can be configured with 'Protected' & 'Excluded' resources as per the requirements |
|
|
This setup in Authenion will register a unique entry for the Oracle Hyperion application |
|
|
Oracle Hyperion configuration that needs to be done for its application modules independently inside the Hyperion administration workspace |
Following are the configurations that needs to be done in the Authenion Administrative Console to onboard the Oracle Hyperion application for Single Sign-On.
Virtual Server
Following is an example configuration of a Virtual Server for Oracle Hyperion application.
Application Host
Following is an example configuration of an Application Host in Authenion for Oracle Hyperion application.
Header Mapping
Following is an example configuration of a Header Mapping for Oracle Hyperion application.
Resources
Following is an example configuration of Protected & Excluded Resources in Authenion for Oracle Hyperion application.
Registering an Application for Oracle Hyperion in Authenion
Following is an example configuration of creating an Application in Authenion for Oracle Hyperion.
| Configuration | Values |
|---|---|
|
Name |
Hyperion |
|
Virtual Server |
HyperionVirtualServer |
|
Header Mapping |
HyperionHeaders |
|
Protected Resource |
HyperionProtected |
|
Excluded Resource |
HyperionExcluded |
|
Application Host |
HyperionBackend |
|
Authenion Instances |
Auto populated |
SSO setup in Oracle Hyperion Application
Hyperion application can be integrated with Authenion for Single Sign-On. Following setup allows you to enable SSO to Hyperion application.
-
Access Oracle Hyperion Shared Services Console as a System Administrator. See Launching Shared Services Console.
-
Select Administration, and then Configure User Directories.
Click Security Options.
-
In the Single Sign-On Configuration section:
Select the Enable SSO check box
-
From SSO Provider or Security Agent drop-down list, select Other
-
From SSO Mechanism drop-down list, select Custom HTTP Header and then specify the name of the header that the security agent passes to EPM System (‘SSO_USER’).
-
Click OK
Oracle Primavera Unifier
Oracle Unifier SSO with Authenion
Oracle Primavera Unifier allows customers to digitize and automate their capital asset planning and execution processes, which helps improve profitability, operational reliability, and risk management.
Architecture
Configuration Steps
The following sections describes the configuration steps in Authenion & Oracle Unifier application for Single Sign-On.
1. Pre-requisites
'First-mile' integration (connecting Authenion to an identity provider).
Firewall requirements between Unifier, Authenion and IdP servers.
SSO Integration Workflow
| Tasks | Description |
|---|---|
|
Virtual Server in Authenion will be the user-facing URL of the Oracle Unifier application. Virtual Server is defined by the hostname and port |
|
|
Application Host details is about the server responsible for hosting the Oracle Unifier application and its components |
|
|
Header Mappings in Authenion are used to send one or more user attribute values to Oracle Unifier application as HTTP header variables |
|
|
Resources in Authenion are the Oracle Unifier application components that requires different security levels. Unifier application can be configured with 'Protected' & 'Excluded' resources as per the requirements |
|
|
This setup in Authenion will register a unique entry for the Oracle Unifier application |
|
|
Oracle Unifier configuration needs to be done for its application modules independently inside the Unifier administration workspace |
Following are the configurations that needs to be done in the Authenion Administrative Console to onboard the Oracle Unifier application for Single Sign-On.
Virtual Server
Following is an example configuration of a Virtual Server for Oracle Unifier application.
Application Host
Following is an example configuration of an Application Host in Authenion for Oracle Unifier application.
Header Mapping
Following is an example configuration of a Header Mapping for Oracle Unifier application.
Resources
Following is an example configuration of Protected & Excluded Resources in Authenion for Oracle Unifier application.
Registering an Application for Oracle Unifier in Authenion
Following is an example configuration of creating an Application in Authenion for Oracle Unifier.
| Configuration | Values |
|---|---|
|
Name |
Unifier |
|
Virtual Server |
UnifierVirtualServer |
|
Header Mapping |
UnifierHeaders |
|
Protected Resource |
UnifierProtected |
|
Excluded Resource |
UnifierExcluded |
|
Application Host |
UnifierBackend |
|
Authenion Instances |
Auto populated |
SSO Setup in Oracle Unifier Application
The following setup enables SSO login to the Unifier application.
Create a property file called custom.properties and load it along with the skire.properties file.
The custom.properties file must define the following three SSO configuration properties:
Set the name of the header that will contain a valid Unifier username:
Set your logoff redirect URI after user logs out of Unifier:
(HTTP_header = 'remote_user')
SSO Logout URL = https://unifier.example.com/ssolibrary/oidc/logout
Oracle Agile PLM
Oracle Agile PLM SSO with Authenion
Agile PLM is designed to help its customers to make better product portfolio decisions, supply chain partners, collaborate across design, and accelerate new product introduction. It also provides features , processes and work flows such as approval processes for the data types and associated files.
Architecture
Configuration Steps
The following sections describes the configuration steps in Authenion & Oracle Agile PLM application for Single Sign-On.
1. Pre-requisites
'First-mile' integration (connecting Authenion to an identity provider).
Firewall requirements between Agile, Authenion and IdP servers.
SSO Integration Workflow
| Tasks | Description |
|---|---|
|
Virtual Server in Authenion will be the user-facing URL of the Oracle Agile PLM application. Virtual Server is defined by the hostname and port |
|
|
Application Host details is about the server responsible for hosting the Oracle Agile PLM application and its components |
|
|
Headers Mappings in Authenion are used to send one or more user attribute values to Oracle Agile PLM application as HTTP Header variables |
|
|
Resources in Authenion are the Oracle Agile PLM application components that requires different security levels. Agile PLM application can be configured with 'Protected' & 'Excluded' resources as per the requirements |
|
|
This setup in Authenion will register a unique entry for the Oracle Agile PLM application |
|
|
Oracle Agile PLM configuration that needs to be done for its application modules independently inside the Agile PLM administration workspace |
Following are the configurations that needs to be done in the Authenion Administrative Console to onboard the Oracle Agile PLM application for Single Sign-On.
Virtual Server
Following is an example configuration of a Virtual Server for Oracle Agile PLM application.
Application Host
Following is an example configuration of an Application Host in Authenion for Oracle Agile PLM application.
Header Mapping
Following is an example configuration of a Header Mapping for Oracle Agile PLM application.
Resources
Following is an example configuration of Protected & Excluded Resources in Authenion for Oracle Agile PLM application.
Registering an Application for Oracle Agile PLM in Authenion
Following is an example configuration of creating an Application in Authenion for Oracle Agile PLM.
| Configuration | Values |
|---|---|
|
Name |
Agile PLM |
|
Virtual Server |
AgileVirtualServer |
|
Header Mapping |
AgileHeaders |
|
Protected Resource |
AgileProtected |
|
Excluded Resource |
AgileExcluded |
|
Application Host |
AgileBackend |
|
Authenion Instances |
Auto populated |
SSO setup in Oracle Agile PLM Application
Agile PLM application can be integrated with Authenion for Single Sign-On. Following setup allows you to enable SSO to Agile PLM application
Navigate to the WebLogic console where the Agile PLM application is installed and create AgileIdentityAsserter.
-
in WLS Console
Click Lock and Edit
Move to Summary of Security Realms >AgileRealm >Providers
Click New
Create AgileIdentityAsserter Authentication with "AgileIdentityAssertion" Provider
Open the added AgileIdentityAsserter
Select the Active type as ‘remote_user’ and Save.
Click Activate Changes.
Logout from the console
-
Open ‘agile.Properties’ file, and add the below settings: oam.header.name = remote_user oam.sso.logout.url = https://
:<443>/ssolibrary/oidc/logout -
Open the Web.xml (\application.ear\application.war\WEB-INF\ web.xml) and change auth-method as below:
client-cert, form -
Restart the WebLogic Application Server where the Agile Application is installed.
Login to Agile Java Client.
-
Navigate to the Location node.
Enter the Web Server Proxy URL
-
Restart the File Manager