Operating Modes

The One Network SSO service can be configured to work in several different ways to fit a number of different deployment scenarios.

Topics covered in this section:

Embedded Mode

Each Platform server comes with an embedded SSO server. In development and private production environments, this server is used to authenticate users. Each node runs an embedded SSO server and all user information is stored on the same database as Platform.

Standalone Mode

SSO can run as a standalone server, with its own cluster configuration and URL. This allows you to use the One Network SSO server as the authentication mechanism for your entire enterprise. Its deployed as its own separate server which makes it distinct from Embedded Mode where its deployed along with the normal gamut of One Network applications and services.

Cloud Mode

One Network also offers SSO as a hosted service in the One Network Developer Network. In this case One Network maintains the SSO server which is shared amongst all participants of the One Network Developer Network. We provide tools for on-boarding and maintaining your organization. As you deploy applications, remember, One Network Platform gives you very tight control over who has access to your applications and its related data. While you have the potential to capture the benefits of a user base of thousands of member companies and organizations, you still have total control over which members in the Enterprise Social Graph can use your applications.

Configuration

Configuring the SSO service in either Embedded Mode or Standalone Mode requires the use of the instanceConfig.xml file located in the folder install / setup. This file is used for, among other things, configuration of the OpenID endpoint and return_to parameter.

<AuthenticationConfig>
<!-- Defines the Authentication system to be used by One Network Platform -->
<AuthenticationMode>OpenID</AuthenticationMode>
<BaseEndpoint>https://${HOST}/sso</BaseEndpoint>
<Endpoint>/auth/id</Endpoint>
<SsoCallbackLink>https://${HOST}/oms/SsoCallBack</SsoCallbackLink>
<SsoSuccessUri>/auth/sso.do</SsoSuccessUri>
<OpenIDCallback>https://${HOST}/oms/auth/openId</OpenIDCallback>
<!-- Rest of AuthenticationConfig omitted for brevity. As noted, you shouldn't be changing the settings beyond this point. -->

In the above listing, we are mainly interested in the BaseEndpoint and Endpoint parameters. The others are used internally by Platform and should not be changed manually. The BaseEndPoint and Endpoint parameters define the OpenID provider endpoint URL. In the example above, Platform will use Embedded Mode. Authentication requests will be re-directed back the service embedded in the currently running server.

If you want to configure your instance to use Standalone Mode or Cloud Mode, all you have to do is change the URL in the BaseEndpoint parameter:

<BaseEndpoint>https://external.example.com/sso</BaseEndpoint>

SSO Configuration Parameters

The SSO server can be configured to use different password, activity, and notification policies. These parameters are configured in the node.properties file located in the root folder of your installation.


  • admin.inactivity.period - The amount of time in days after which an account is considered 'Inactive' if the user does not login

  • admin.max.allowed.logon.failures - The amount of login attempts a user has before the account is locked

  • admin.new.user.logon.policy - One of: none , reset . If reset , a user must reset their password after the initial login

  • admin.admin.user.list - A default list of SSO administrative users

  • admin.nonblocked.user.list - A default list of SSO users that are not prevented from logging in

  • admin.notifier.policy - One of: log , email . If email , an e-mail notification will be sent to the user on creation and update

  • admin.password.generator.policy - Used to determine the password generator used when setting the password of new users. The available policies in order of increasing complexity:

    • simple - Always generates password as the user password.

    • alpha - Generates a password using the character set [a-zA-Z]

    • alnum - Generates a password using the character set [a-zA-Z0-9]

    • alnumspec - Generates a password using the character set [a-zA-Z0-9] and the special characters:-`~!@#$%^&*()?+></;:'={}[]|\'

  • admin.password.validator.policy - Used to validate user-created passwords. Uses the same policies as 'admin.password.generator.policy'

  • admin.password.age.limit - The amount of time in days before the user must change passwords

  • admin.password.cycle.count - The number of previous passwords checked for duplicates when the user creates a new password

  • admin.password.length.min - The minimum length of the password

  • SMTP.Sender.Name - The address listed in the 'from' field on e-mail notifications when using the NotificationService JMX control or sending notifications from Platform

  • SMTP.Host - The location of the SMTP server used to send e-mail notifications

  • replication.email.bcc - Address that receives a BCC of any e-mail notifications from SSO

  • replication.email.from - The address listed in the 'from' field on e-mail notifications from SSO

The following is an example configuration:

admin.inactivity.period=60
admin.max.allowed.logon.failures=3
admin.new.user.logon.policy=none
admin.admin.user.list=InstanceAdminUser
admin.nonblocked.user.list=InstanceAdminUser,Anonymous
admin.notifier.policy=log
admin.password.generator.policy=simple
admin.password.validator.policy=alnumspec
admin.password.age.limit=90
admin.password.cycle.count=3
admin.password.length.min=8
SMTP.Sender.Name=help@onenetwork.com
SMTP.Host=localhost
replication.email.bcc=_NetworkOperations@onenetwork.com
replication.email.from=help@onenetwork.com