Centralised authentication

Geoconcept Web authorises centralisation of authentications, in order to externalise handling of user identifiers and passwords to a third party directory.

You can EITHER use the unique authentication or Single Sign-On (SSO) featured on social networks (Google and/or Twitter), OR use your organization’s Active Directory or your Windows domain. Of the three methods suggested, the last one alone allows users to access Geoconcept Web without having to go through the login page.

To do this, having first stopped the Tomcat service, you will need to add a text file called geoweb-credentials.properties in the “<TOMCAT_HOME>”\lib\ folder, and edit it depending on requirements, as explained in the following sections.

[Tip] Tip

In the geoweb-credentials.properties file, you will be able to combine the social network and Active Directory SSO configurations. However, using SSO with Active Directory is not possible with the other methods.

Social networks (SSO)

Google

Activation

Utilisation of Google in SSO is in two stages

  • Activation of the Google+ API

Go to the Web site API Google+, connect with a Google account, and then click on Activate.

  • Create a project

Go the Web site API Google, connect with a Google account, and click on Create a project, enter the Project name, then click on Create.

Create an identifier, choose ID client Oauth, then Web Application as Application type, enter a Name, give an authorised URI redirection in the following format: 

http://<server>/geoconcept-web/google/callback?client_name=Google2Client

Next, retrieve:

  • Client ID, example: 1234567890123-85v762t4vk45895qixaiuf4b37be.apps.googleusercontent.com
  • secret client code, example: U9R5bpR9PaSfmu984S

Configuration

Edit the geoweb-credentials.properties file adding the following parameters:

  • google.activated: true or false to activate or de-activate the function
  • google.key: the value of Client ID
  • google.secret: the value of secret client code
  • google.callbackUrl: /google/callback callback filepath
  • google.declaredCallbackUrl: callback url (ex: http://<server>/geoconcept-web/google/callback)

Example  

#Google
google.activated=true
google.key=1234567890123-85v762t4vk45895qixaiuf4b37be.apps.googleusercontent.com
google.secret=U9R5bpR9PaSfmu984S
google.callbackUrl=/google/callback
google.declaredCallbackUrl=http://<server>/geoconcept-web/google/callback

Administration

Having edited the geoweb-credentials.properties file, start the Tomcat server.

From the Administration ▸ Rights ▸ Origins menu, choose the GOOGLE identifier

  • Rename the Name as necessary
  • Authorise the user creation
  • Choose a Reason, for example geoconcept.com will filter only on corresponding addresses.
  • Choose the group in which users will be created by default. When the account is created, it is possible to change group via the Administration ▸ Rights ▸ Users menu.

Utilisation

To connect using Google SSO, the user should click on Connect with Google.

Login page with Google SSO
gcweb-reference-img/guide-reference/sso_google_1.png

then connect to Google or choose the Google account to use.

Select a Google account
gcweb-reference-img/guide-reference/sso_google_2.png

If the account does not exist in Geoconcept Web, it is created automatically the first time a connection is established.

Twitter

Activation

Activation of the Twitter SSO takes place in a single step:

  • Creation of a Twitter application

Go the Web site Application Management, and connect with a Twitter account, and then type in the formula:

Next, retrieve:

  • key, example: U9R5bpR9PaSfmu984S
  • secret, example: j7m82A2SyTh64QPf3uS3ZsbZqa5jGdU6MU95u74U

Configuration

Edit the geoweb-credentials.properties file adding the following parameters:

  • twitter.activated: true or false to activate or de-activate the function
  • twitter.key: the value of Client ID
  • twitter.secret: the value of secret client code
  • googtwitterle.callbackUrl: callback filepath /twitter/callback
  • twitter.declaredCallbackUrl: callback url (ex: http://<server>/geoconcept-web/twitter/callback ) )

Example  

#Twitter
twitter.activated=true
twitter.key=U9R5bpR9PaSfmu984S
twitter.secret=j7m82A2SyTh64QPf3uS3ZsbZqa5jGdU6MU95u74U
twitter.callbackUrl=/twitter/callback
twitter.declaredCallbackUrl=https://<server>/geoconcept-web/twitter/callback

Administration

Having edited the geoweb-credentials.properties file, start the Tomcat server.

From the Administration ▸ Rights ▸ Origins menu, choose the TWITTER identifier

  • Rename the Name as necessary
  • Authorise the user creation
  • Pattern (not used with this method)
  • Choose the group in which users will be created by default. When the account is created, it is possible to change group via the Administration ▸ Rights ▸ Users menu.

Utilisation

To connect using the Twitter SSO, the user should click on connect with Twitter

Login page with Twitter SSO
gcweb-reference-img/guide-reference/sso_twitter.png

then connect to a Twitter account.

If the account does not exist in Geoconcept Web, it is created automatically the first time a connection is established.

Active Directory

[Warning] Warning

To connect via the Active Directory, it will be necessary that the server on which Geoconcept Web is installed can access the organisation’s AD server.

Configuration

Edit the geoweb-credentials.properties file adding the following parameters:

  • ad.activated: true or false to activate or de-activate the function
  • ad.domain: domain name
  • ad.url: server url

As well as the following line:

ad.searchFilter=(&(objectClass=user)(userPrincipalName={0}))

Example  

#Active Directory
ad.activated=true
ad.domain=domain
ad.url=ldap://domain:port/
ad.searchFilter=(&(objectClass=user)(userPrincipalName={0}))

Administration

Having edited the geoweb-credentials.properties file, start the Tomcat service.

From the Administration ▸ Rights ▸ Origins menu, choose the AD Identifier

  • Change the name as necessary
  • Authorise the user creation
  • Pattern (not used with this method)
  • Choose the group in which users will be created by default. When the account is created, it is possible to change group via the Administration ▸ Rights ▸ Users menu.

Utilisation

The user connects to the application using their usual identifiers: if the account does not exist in Geoconcept Web, it is created automatically when the first connection is established.

Active Directory and Windows domain (SSO)

[Warning] Warning

To be able to login to this method, the server on which Geoconcept Web is installed must be able to access EITHER the organization’s AD server, OR the Windows domain.

Configuration

Edit the geoweb-credentials.properties file adding the following parameters:

  • ssoad.activated: true or false to activate or de-activate the function

Example  

#SSO AD
ssoad.activated=true

Execute the following SQL script, replacing the active.directory.name string with the Active Directory name, or that of the Windows domain to use: 

INSERT INTO public.gw_parameter(
        id, description, value)
        VALUES ('authentification.ssoad.domain', '', 'active.directory.name');

INSERT INTO public.gw_user_origin(
        id, origin_label, include_pattern, allow_user_creation)
        VALUES ('SSOAD', 'SSOAD', '', 'T');

INSERT INTO public.gw_user_origin_group_def(
        origin_id, group_id)
        VALUES ('SSOAD', '3');

then start the Tomcat service.

Administration

From the Administration ▸ Rights ▸ Origins menu, choose the SSOAD identifier

  • Change the name as necessary
  • Authorise or not user creation (enabled by default)
  • Pattern (not used with this method)
  • Edit the group in which users will be created (Super administrator by default). Once the account is created, you can change group via the Administration ▸ Rights ▸ Users menu.
[Tip] Tip

The authentification.ssoad.superAdminRole parameter (cf. Advanced settings section), serves to define the Windows role (right) allowing you to assign Super administrator rights to a user.

[Tip] Tip

The authentification.ssoad.overloadCreateUser parameter (cf. advanced settings section), allows you to create users when Geoconcept Web is still in its original unconfigured state. If the source mode does not authorise creation of users, and this parameter is set to true, the application will assume the source configuration and the users will be ceated automatically.

Utilisation

The user connects to Geoconcept Web without having to enter their identifiers, on condition that this user is already authenticated on the machine from which they are accessing the application. If the account does not exist in Geoconcept Web, it is created automatically the first time the connection is established.

[Warning] Warning

With this method, the disconnect function from Geoconcept Web will not be operational.
[Warning] Warning

For an utilization in Firefox, you will need to declare the site to use as being valid for a SSO authentication. To do this, you should edit the Firefox configuration keys (via the about:config URL) indicating the site as a value for the network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris variables. For example, to access http://monsite:xxx/geoconcept web you should use the http://monsite:xxx value.

[Warning] Warning

A current limitation in the Edge browser is that, even when SSO has been set up, a popup still opens in which the user must log in to access the Geoconcept Web application.

Prev  Up  Next
  Home