| Application Name | IAM Cloud - JSP |
| Publisher | IAMCloud |
| Date Entered | 11/21/2014 |
| Date Modified | |
| webNetwork Version | 6.2.1.189 |
| Delivery Method | Custom JSP |
| Configuration | We have developed a JSP that you would download, edit with appropriate values for the application that you have configured in IAMCloud and copy to all webNetwork relays in the \stoneware\webserv\custom folder naming it something like iamCloudSSO_myworkday.jsp
You would then make a standard link pointing to \custom\iamCloudSSO_appname.jsp Some details on this JSP The JSP negotiates a connection (described below) with IAM Cloud, and after proving it is "trusted", the user is automatically signed in to whatever application they want behind IAM Cloud (Office 365, MyWorkDay, etc.) The JSP works as follows: 1. The Stoneware Relay makes a call to IAM Cloud's Authentication Server. It passes the customer's "API User Name" and "API Password" to the Authentication Server. These values are provided to each customer by IAM Cloud. 2. The IAM Cloud Authentication Server returns an "access token". 3. The Stoneware Relay sends this access token (as an HTTP header), along with the user's user id back to the IAM Cloud Authentication Server. In the JSP, the user ID is retrieved through a call to substituteVariables. This allows you to retrieve information from Stoneware's Password Manager, directory attributes, etc. for the user. 4. The Authentication Server authenticates the user and returns a Short Lived Token (SLT). 5. The Stoneware Relay then redirects the user's browser to a URL at federate365.com. This URL has a GUID in it and this GUID is unique to each customer. It will be assigned by IAM Cloud. The URL is passed the SLT from the step above, and also the customer's "supplied key". The supplied key is generated by the customer using IAM Cloud's software, and this supplied key should never be shared with anyone (even IAM Cloud support). 6. If everything validates correctly, one of the following will happen: a) If this is the user's first time using this method, he will be prompted to manually enter his IAM Cloud credentials. This is done to setup the "trust" relationship for this user. After entering that, the user will be signed in to whatever application they requested (Office 365, MyWorkDay, etc.) b) If this is not the first time the user has used this method, then they will be automatically be signed in and do not have to manually enter their credentials. It is important to work with IAM Cloud to get the following values/information: 1. API user name and password. 2. Redirect URL - will contain a GUID. 3. Supplied Key - this is generated by the customer using IAM Cloud software, however should not be shared with anyone. While running the JSP, if errors occur, a generic message will appear. Adding a parameter at the end called showErrors with a value of y will cause the JSP to show more detail about the error (HTTP status code, error response from IAM Cloud, etc.). For example, /myapp/iamCloudSSO.jsp?showErrors=y Download the JSP here: http://swdl.stone-ware.com/support/techdocs/3rdparty/iamCloudSSO_example.txt |
| Notes |
| Do to IAM Cloud recently updating their SSL Certificate to a GoDaddy SHA256 certificate, you will also need to update your cacerts Root Certificate keystore file. JRE 7, which is used by webNetwork, does not come with the new GoDaddy root certificate.
Download the following file: http://swdl.stone-ware.com/support/techdocs/3rdparty/cacerts-02242015.zip Extract the cacerts file from the ZIP archive and copy it to the following folder on each of your webNetwork servers: /stoneware/jre/lib/security/ **You will have to shutdown the webNetwork service prior to copying the file, as the current file will be in use. |