Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

Introduction:

This article describes how to connect the tia® H5 Viewer to a Microsoft Azure application to enable authentication via a Microsoft user account. OpenID Connect is an open standard based on OAuth2 and enables identity information to be transmitted. Technical details can be found here:

https://openid.net/connect/

Prerequisites:

  • User account control with Office 365 in Azure

  • State-of-the-art browser like: Edge, Chrome, Firefox etc. IE11 is not being supported

  • Tomcat 9 with Java 11 or higher

    • Status
      colourYellow
      titleiMPORTANT
      : The web server must be operated with HTTPS, as this is required by Microsoft/OpenID Connect.

  • Access to the Azure portal and authorizations to create an "app" and provide it with authorizations. These are usually domain administrators of the companies.

Goal:

In order to further optimize access to (sensitive) customer documents in addition to the ArchiveLink secKey procedure, there is an increasing need for standard authentication procedures such as SAML2 or OpenID Connect. These session-based access mechanisms make it easier for a user to log in (once at startup) and at the same time make it more difficult for an attacker to gain unauthorized access to documents.

...

  1. From SAP, the user opens the URL (ArchiveLink) behind which the document is hidden.

  2. The tia® H5 Viewer checks the session to see whether the user has already logged in within a definable period of time using a session cookie. If this is not the case, a redirect to the Microsoft login page takes place. Initially, only information about the client_id (the Azure application), authority and secretKey is transferred to Azure.

  3. Microsoft Azure responds with a login mask:

...

6. This token is sent via redirect to the stored redirect URI (and thus to the tia® H5 Viewer).

7. The tia® H5 Viewer validates this token and sets a session cookie.

8. The tia® H5 Viewer delivers the document and session cookie to the user.

Setting up the Azure application

The setup of the Azure application is described here: https://kgs-software.atlassian.net/wiki/spaces/SUPPORT1/pages/2920710145/Register+Microsoft+Azure+application+for+email+deliverys/WIKI/pages/2203680771

Configuration of the tia® H5 Viewer

It is assumed that a basic installation of the KGS tia® H5 Viewer already exists. Either standalone or as CSV (Content Server including tia® H5 Viewer).

The current tia® H5 Viewer release is delivered and required as a WAR. Authentication via OICD is possible from version 2.3.0 of the tia® H5 Viewer.

Note

Important: There are two authentication bundles in the WAR by default:

  • KGS Keycloak Authentication (com.software.kgs.plugin.keycloakadapter)

  • KGS MS Auth Service (com.software.kgs.plugin.msauthneticator)

Only one may be active (depending on which one is to be used).

By default, Keycloak is "Resolved" and therefore not active.

Configuring the MS-Auth service

To be able to log in to the previously created Azure app (Create, see /wiki/spaces/WIKI/pages/2203680771 ), this must be configured.

...

The following values must be entered: (Also: https://kgs-software.atlassian.net/wiki/spaces/WIKI/pages/2203680771) Register Microsoft Azure application for email delivery

authority: this is the baseURL + directory (tenant) ID.

For instance: https://login.microsoftonline.com/051ebb00-ace6-4a0a-a288-0dec45c505fa

ClientId: This is the application identity. Can be viewed under Azure Portal → "Overview".

...

https://IP-Address:HTTPS-Port/[Applikation]/contentserver (CSV - “ContentServer incl. tia® H5 Viewer”)

https://IP-Address:HTTPS-Port/[Applikation]/viewer (V - “Viewer “tia® H5 Viewer standalone” and for using the viewer tia® H5 Viewer from within SAP)

secretKey: This is the secret that we have created under "Certificates & secrets". If this can no longer be viewed (because it was forgotten to save), a new one must be created.

Working Directory: Default. The working directory.

Configuring the

...

tia® H5 Viewer

The "External authentication method" must be activated and "Enable Security" must be activated for the Viewer Profile.

...

Embedded means that the Outlook Online page is loaded completely (on the left you can see the list of received emails etc.).

...

Editing the web.xml

Finally, it is necessary to set the filters for authentication. To do this, the following section must be commented in (it is already commented out in the delivery).

...

Code Block
<!-- Session Filter -->
	<filter>
		<filter-name>EquinoxSessionFilter</filter-name>
		<filter-class>com.software.kgs.filter.EquinoxSessionFilter</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>EquinoxSessionFilter</filter-name>
		<url-pattern>/contentserver</url-pattern>
		<url-pattern>/viewer</url-pattern>
	</filter-mapping>	

Restarting the web server

After restarting the Tomcat application server, everything should now be ready for use.