SSO Setup Using Custom Pre-Authentication Proxy

Authentication and authorization is only supported on Orchestra Central. No support exists for using a Pre-Authentication solution on Distributed Queue Agents.

Authentication and authorization is based on HTTP header values set by the authenticating proxy server.

Headers for username, roles, branches, and user first and last name are supported.

Orchestra Central Configuration

1. First, determine which header values the authentication proxy will send. Mandatory headers are for username and roles.

2. Navigate to System Administration -> Parameters -> Pre Authentication and Authorization Settings.

3. Modify the default values so they fit the used authentication proxy:

User name header - set to the HTTP header for user name

Group mapping IDs header - set to the HTTP header for roles

Branch mapping IDs header - (Optional) set to the HTTP header that contains branch IDs / names

Given name header - set to the HTTP header that contains user’s given name

Surname header - set to the HTTP header that contains the user’s surname

4. Next, navigate to User Management -> Pre Authorization.

5. Add the mappings corresponding to the roles and branch headers configured above.

All role names in the received values for the HTTP header configured for Group mapping IDs header should be entered in the name field for type Role.

All branch names in the received values for the HTTP header configured for Branch mapping IDs header should be entered in the name field for type Branch.

For example, if the HTTP header Group mapping IDs is configured with value iv-groups and if reception-user is transmitted in the HTTP request for the HTTP header iv-groups, then a role mapping is needed between reception-user and the Orchestra role ReceptionUser.

6. Open the configuration file <orchestra_install_dir>\conf\shiro.ini. Change the following lines, accordingly:

#preAuthSessionListener = com.qmatic.qp.core.aaa.shiro.preauth.SessionListener

#securityManager.sessionManager.sessionListeners = $preAuthSessionListener

If the shiro.ini file contains the following line, make sure that you remove it!

8. Change the securityManager.realms section so that the preAuthRealm is enabled:

#securityManager.realms = $ssoRealm, $ldapRealm, $agentRealm

# Change line above this to the one below to use pre-authentication via an authenticating proxy

securityManager.realms = $ssoRealm, $ldapRealm, $agentRealm, $preAuthRealm

9. Enable the preAuthFilter:

preAuthFilter = com.qmatic.qp.core.aaa.shiro.preauth.Filter

10. Add the preAuthFilter to all URL:s that need to be exposed to the pre-authentication proxy. In general, all URL:s defined in shiro.ini EXCEPT those defined as “anon”, “/login.jsp”, “logout.jsp”, “/qsystem/rest/security/account/**” can be enabled.

Example (not complete, more URL:s might apply in your Orchestra installation):

/qsystem/system-web/** = preAuthFilter, qpAuthc, modules[cfm]

/ qsystem/aaaconfig-web/** = preAuthFilter, qpAuthc, modules[user]

/qsystem/surfaceeditor/** = preAuthFilter, qpAuthc, modules[surface]
/qsystem/administration/** = preAuthFilter, qpAuthc, modules[unitType,license,widget,backup,parameter]

/qsystem/surfaceexplorer/** = preAuthFilter, qpAuthc, modules[journeySchedule,journeyCreator,journeyPlayList]

/qsystem/rest/security/login = preAuthFilter, qpBasicAuthc

/qsystem/rest/security/account/** = noSessionCreation, ipFilter[127.0.0.1,0:0:0:0:0:0:0:1]

/qsystem/rest/dm/** = preAuthFilter, qpBasicAuthc, noSessionCreation, modules[adminConnect]

11. Finally, restart Orchestra.

Vendor-specific Configuration

WebSEAL

Integrations using WebSEAL need to have the “-j” flag set for junctions connecting to Orchestra, to get junction cookies, so that WebSEAL handles server-relative paths properly.