| abdelseaudi | eefb749 | 2018-03-16 06:24:48 +0000 | [diff] [blame] | 1 | Enabling Single-Signon |
| 2 | ====================== |
| 3 | |
| 4 | This tutorial explains the Single-Signon of ONAP Portal, and how to enable it in our sample application. |
| 5 | |
| 6 | When a user logs in using the ONAP Portal Login, a cookie is created to record the logged-in session, |
| 7 | and it includes the username and other parameters. |
| 8 | |
| 9 | In our tutorial app so far we used "http://app-host:port/epsdk-app-os/login.htm" to login into the application. |
| 10 | |
| 11 | This is called the external login, which is used a backdoor for developers to test the applications |
| 12 | in a local environment, without having the entire Portal. |
| 13 | |
| 14 | Now, when the application is ready and onboarded on to the Portal, we can now use |
| 15 | "http://app_host:port/epsdk-app-os/welcome.htm" as the application onboarding URL in ONAP Portal. |
| 16 | |
| 17 | Onboarding steps can be found here |
| 18 | https://wiki.onap.org/display/DW/Application+Onboarding#ApplicationOnboarding-addapp. |
| 19 | |
| 20 | The welcome.htm page code will try to read the session cookie from the browser to detect if there is |
| 21 | a user that's already logged-in into the ONAP Portal. |
| 22 | |
| 23 | If a cookie is found, then this means a user is already logged-in to the ONAP Portal and |
| 24 | the application welcome.htm page will display showing the application frontend in a tab inside ONAP Portal. |
| 25 | |
| 26 | However, if a cookie is not found, the code will look for the redirect URL listed in the |
| 27 | WEB-INFO/classes/portal.properties file. |
| 28 | |
| 29 | Assuming the ecomp_redirect_url = http://portal.api.simpledemo.onap.org:8989/ONAPPORTAL/login.htm |
| 30 | for Amsterdam release, then, the user will be redirected to the ONAP Portal login page to log in. |
| 31 | |
| 32 | If the user login succeeds, the Portal login page will redirect the user back to the Application |
| 33 | welcome page. |
| 34 | |
| 35 | This should enable the application to use the Portal’s Single Signon. |
| 36 | |
| 37 | Note that the ONAP Portal and its on-boarded application must be on the same domain |
| 38 | (e.g. *.simpledemo.onap.org) to take advantage of the Single Signon. |
| 39 | |
| 40 | Otherwise, if the application is hosted in a different domain, its code will not be able to read ONAP |
| 41 | Portal session cookies. |
| 42 | |
| 43 | Due to security reasons the ONAP Portal restricts to one domain (defined in the properties) across |
| 44 | the applications on-boarded to it. |
| 45 | |
| 46 | However, if the application is not interested in single signon feature, then the new application can |
| 47 | be always be on-boarded as a “Hyperlink only application” which will be opened into a new browser |
| 48 | rather than the internal Portal’s tab. |
| Manoop Talasila | 322bf26 | 2018-04-06 10:52:41 -0400 | [diff] [blame] | 49 | |
| 50 | Changing the cookie domain |
| 51 | -------------------------- |
| 52 | |
| 53 | Changing the single-sign on cookie domain in portal requires both development and config activity: |
| 54 | |
| 55 | |
| 56 | development - change this file and rebuild the front-end |
| 57 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 58 | |
| 59 | :: |
| 60 | |
| 61 | ./ecomp-portal-FE-os/client/configurations/integ.json:102: "cookieDomain": "onap.org" |
| 62 | |
| 63 | |
| 64 | configuration - change this deployment entry |
| 65 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 66 | |
| 67 | :: |
| 68 | |
| 69 | ./deliveries/properties_simpledemo/ONAPPORTAL/system.properties:104:ext_central_access_user_domain = @csp.onap.org |
| 70 | |
| 71 | |
| 72 | Apps that are built on the EP-SDK have an entry in a config file that must be changed |
| 73 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 74 | |
| 75 | :: |
| 76 | |
| 77 | ./deliveries/properties_simpledemo/ONAPPORTALSDK/system.properties:67:cookie_domain = onap.org |