Single sign‑on is a mechanism that allows a user to authenticate once and gain access to multiple applications. Single sign‑on uses a proxy server to authenticate users so they need not log in to Adobe Connect.
Adobe Connect supports the following single sign‑on mechanisms:
HTTP header authentication
Configure an authentication proxy to intercept the HTTP request, parse the user credentials from the header, and pass the credentials to Adobe Connect.
Microsoft NT LAN Manager (NTLM) authentication
Configure Adobe Connect to attempt to automatically authenticate connecting clients against a Windows domain controller using the NTLMv1 protocol. Microsoft Internet Explorer on Microsoft Windows can negotiate NTLM authentication without prompting the user for credentials.
NTLM authentication doesn't work on edge servers. Use LDAP authentication instead.
Mozilla Firefox clients may be able to negotiate NTLM authentication without prompting. For information about configuration, see this Firefox document.
You can write your own authentication filter as well. For more information, contact Adobe Support.
When HTTP header authentication is configured, Adobe Connect login requests are routed to an agent positioned between the client and Adobe Connect. The agent can be an authentication proxy or a software application that authenticates the user, adds another header to the HTTP request, and sends the request to Adobe Connect. On Adobe Connect, you must uncomment a Java filter and configure a parameter in the custom.ini file that specifies the name of the additional HTTP header.
To enable HTTP header authentication, configure a Java filter mapping and a header parameter on the computer hosting Adobe Connect.
The authentication code must authenticate the user, add a field to the HTTP header that contains the user login, and send a request to Adobe Connect.
Redirect the user to the requested URL on Adobe Connect, and pass the BREEZESESSION cookie as the value of the session parameter, as follows:
You must pass the BREEZESESSION cookie in any subsequent requests to Adobe Connect during this client session.
The following procedure describes a sample HTTP header authentication implementation that uses Apache as the authentication agent.
NTLMv1 is an authentication protocol used with the SMB network protocol in Microsoft Windows networks. You can use NTLM to allow a user to prove their identity to a Windows domain once and thereafter be authorized to access another network resource, such as Adobe Connect. To establish the user's credentials, the user's web browser automatically performs a challenge and response authentication with the domain controller through Adobe Connect. If this mechanism fails, the user can log in to Adobe Connect directly. Only Internet Explorer on Windows supports single sign-on with NTLMv1 authentication.
Set up Adobe Connect and NTLM on Windows 2003, as Adobe Connect supports NTLM v1. Also, Windows 7 and later versions do not support NTLM v1 SSO.
By default, Windows Server 2003 domain controllers require a security feature called SMB signatures. The default configuration of the NTLM authentication filter does not support SMB signatures. You can configure the filter to work within this requirement. For more information on this and other advanced configuration options, see the JCIFS NTLM HTTP authentication documentation.
Synchronize LDAP users from your domain in Adobe Connect via 8510 Management Console. To integrate Adobe Connect with LDAP, see Integrate Adobe Connect with an LDAP directory.
After synchronizing LDAP in Adobe Connect, filter LDAP data in such a way that NTLM Domain user name is populated in the Adobe Connect database. Otherwise NTLM SSO login does not work and you notice logon failures in debug.log.
The value [domain] is the name of the Windows domain that users are members of and authenticate against, for example, CORPNET. If necessary, set this value to the pre-Windows 2000 compatible version of the domain name. For more information, see TechNote 27e73404. This value is mapped to the filter property jcifs.smb.client.domain. Setting the value directly in the web.xml file overrides the value in the custom.ini file.
The value [WINS_server_IP_address] is the IP address or a comma-separated list of IP addresses of WINS servers. Use the IP address, the host name does not work. The WINS servers are queried in the order specified to resolve the IP address of a domain controller for the domain specified in the NTLM_DOMAIN parameter. (The domain controller authenticates users.) You can also specify the IP address of the domain controller itself, for example, 10.169.10.77, 10.169.10.66. This value is mapped to the filter property jcifs.netbios.wins. Setting the value in the web.xml file overrides the value in the custom.ini file.
Adobe Connect and NTLM have different login policies for authenticating users. Reconcile these policies before users can employ a single login.
The NTLM protocol uses a login identifier that can be a user name (jdoe), an employee ID number (1234), or an encrypted name, depending on the policy or the organization. By default, Adobe Connect uses an email address (firstname.lastname@example.org) as a login identifier. Change the Adobe Connect login policy so that Adobe Connect shares a unique identifier with NTLM.