OpenInsight Single Sign-On (SSO)
Introduced in OpenInsight 9.2, Single Sign-On (SSO) allows OpenInsight users and system administrators to simplify their OI security and administrative tasks. By configuring SSO, OpenInsight users can be authenticated via traditional OpenInsight methods, via Windows security, or via a combination of both.
To enable SSO, administrators must create or modify a record in the SYSENV table named CFG_LOGIN, or an application-specific record named CFG_LOGIN*<appname> (ie, CFG_LOGIN*EXAMPLES) to configure SSO for the specific application. The layout of the CFG_LOGIN and CFG_LOGIN*<appname> records is:
ID: CFG_LOGIN (global) or CFG_LOGIN*<appname> (for a specific application)
1. SSO flag
2. Normal groups] (for SSO flag = 2 only)
3. Admin groups] (for SSO flag = 2 only)
4. System Admin groups] (for SSO flag = 2 only)
If the SSO flag is set to 0 in the CFG_LOGIN*<appname> record, or in the CFG_LOGIN record if no CFG_LOGIN*<appname> record is found (or if neither CFG_LOGIN*<appname> nor CFG_LOGIN record is found), OpenInsight operates in "legacy" mode, continuing to use its existing (legacy) methods for authentication and validation. Usernames and passwords, either entered in response to OpenInsight prompts or passed via command-line parameters, will be checked against OI system records, and the user will either be admitted or denied admittance depending on the entered information.
If the SSO flag is set to 1 in the CFG_LOGIN*<appname> record, or in CFG_LOGIN if no CFG_LOGIN*<appname> record is found, OpenInsight operates in "hybrid SSO" mode. No username or password is required for entry (either systemwide if CFG_LOGIN record is used, or in the particular application if CFG_LOGIN*<appname> is used), so long as the username (as logged into Windows) is found in the OpenInsight system records. Administrators must, therefore, continue to create OpenInsight user entries for all valid OpenInsight users, defining which permissions level (normal, admin, or system admin) they should be granted. Hybrid SSO operation is provided mostly as a convenience to users, who need not specify their username and password to enter OpenInsight. If the OpenInsight user is not set as an administrator then an Application Entry Point must be set for the application.
If the SSO flag is set to 2 in the CFG_LOGIN*<appname> record, or in CFG_LOGIN if no CFG_LOGIN*<appname> record is found, OpenInsight operates in "strict SSO" mode. No username or password is required for entry (either systemwide if CFG_LOGIN record is used, or in the particular application if CFG_LOGIN*<appname> is used), so long as the user (as logged into Windows) belongs to one of the Windows groups defined in fields 2, 3, or 4. In strict SSO mode, the administrator is not required to enter the user into OpenInsight's system records; they need only ensure that the Windows user is a member of the appropriate group. If the Windows user is a member of any of the groups listed in field 4 (@VM delimited), they are admitted into OpenInsight with System Administrator privileges; if the user is a member of any of the groups listed in field 3 (@VM delimited), they are admitted with Administrator privileges; if the user is a member of any of the groups listed in field 2 (@VM delimited), they are admitted with normal privileges. Note that a user will be admitted with the highest privilege that can be found in any of the groups he or she is a member of. Also note that if the user _does_ have an entry in the OI legacy system records, they will be admitted with the privileges found in the OI system (similar to "hybrid SSO" mode).
When operating in strict SSO mode, OpenInsight provides a "legacy override" function; when logging in to the SYSPROG application, if the user is NOT a member of any of the specified groups, they will be prompted for their username and password (as though CFG_LOGIN was set to legacy mode). This provides for the possibility that the user groups have been incorrectly specified, for example, preventing the system from becoming inoperable.
Examples
ID: CFG_LOGIN
1. 0
The system operates in full legacy mode, similar to all prior versions of OpenInsight
ID: CFG_LOGIN
1. 0
ID: CFG_LOGIN*EXAMPLES
1. 1
The system operates in legacy mode for all applications other than EXAMPLES. When logging into the EXAMPLES applications, users need not specify their username and password; however, the username (as logged in to Windows) must exist in the OI system tables for the Examples application.
ID: CFG_LOGIN
1. 2
2. win_users]win_remote
3. localadmin]power_users
4. admin
The system operates in strict SSO mode (with the exception of the legacy override). Users who wish to access the system must belong to the "admin" group (in which case they are granted system administrator privileges), "localadmin" or "power_users" group (in which case they are granted administrator privileges), or "win_users" or "win_remote" group (in which case they are granted normal user privileges).
