SSO an SuperOffice 8.0 SR2 web

Hi,

An customer wanted to use Single Sign On with SuperOffice 8 web, ive done this before using the guide https://community.superoffice.com/en/technical/documentation/prepare/IIS_Authentication/ with older versions of SuperOffice and tried to use it again for SuperOffice 8 web, as suggested by SuperOffice support, it just didnt wanted to work.

Both the classic and the intergrated pipeline method failed to work.

But may i also mention the following things which makes me belive it is out dated:

  • The example web.config changes are no longer valid, they are no longer there;
  • Windows 2003 and XP is being mentioned.
So my question is, did any one managed to get Single Sign On to work with SuperOffice 8 Web, and how?

RE: SSO an SuperOffice 8.0 SR2 web

Hi Norbert!

Are Web and Netserver installed on the same server?

Av: Hans Wilhelmsen 11. jul 2016

RE: SSO an SuperOffice 8.0 SR2 web

Yes, this is an single server installation.

Av: Norbert van Korlaar 13. jul 2016

RE: SSO an SuperOffice 8.0 SR2 web

no one?

Av: Norbert van Korlaar 19. jul 2016

RE: SSO an SuperOffice 8.0 SR2 web

Hi Norbert.

You write that you have tried setting up SSO, but not the steps you have taken. Can you list the steps you have taken and what the topology of the server vs domain controller vs clients is? 

Yes, the SSO documentation need updating.

Here is a check-list for 8.x. The list might be incomplete since I'm writing it from memory and in vacation mode:

  • Web server is enlisted in active directory
  • The hostname used for accessing is registered in DNS (not hosts file)
  • Remote (where web and netserver are on different servers) is not supported due to Kerberos double-hop issues 
  • Users are configured with Active Directory authentication in SuperOffice
  • The IIS site where SuperOffice is located is configured to use Windows Authentication
  • SuperOffice runs with integrated pipeline
  • ASP.NET impersonation must be disabled
  • You should now be able to test with your browser to see if SSO works for users. 
  • To enable SSO with Mail Link and TrayApp, you will need to change the protocolMapping to use WindowsAuth in the web.config file.

You will need to add the site to trusted sites in IE if you are using IE and if IE thinks that the site is not local intranet. Other browsers need configuration to give a SSO experience.

Testing SSO on the same server as SuperOffice usually fails. Accessing the site from Internet will prompt the user for credentials since the KDC is unavailable.

 

--

HansO

 

 

 

Av: Hans Oluf Waaler 19. jul 2016

RE: SSO an SuperOffice 8.0 SR2 web

Hi Hans, Thanks for the feedback!

I have gotten quite far i was only missing the following "ASP.NET impersonation must be disabled" after this, it worked perfectly!.

 

Av: Norbert van Korlaar 21. jul 2016

RE: SSO an SuperOffice 8.0 SR2 web

Hello Hans O.

If a customers requirement for SSO includes a forced three layer architecture (i.e. they do not want to implement a reverse proxy to reach the applicatoin/web service in the LAN zone), would it be possible to implement in process netserver with the web application in the DMZ zone and forward that netserver traffic to a netserver in the LAN zone which could reach the database server in the protected LAN zone? The file server could be either on the database server or on the server in the LAN zone, but I guess that is not the key question here. Would we be able to obtain single sign on with the above?

Av: Stein Ove Sektnan 9. aug 2016

RE: SSO an SuperOffice 8.0 SR2 web

Hi Stein Ove.

I assume here that three-layered architecture refers to hosting front-end, business logic and data separately on three different servers.   

The problem they would experience is double-hop issue/transferring the identity from one server to another. In both authentication scenarios (Kerberos and NTLM), the issued tickets/session would be for the initial responding server, while SuperOffice would require it on the business layer/Netserver. The issued Kerberos tickets can not be used to access any other remote services, unless delegation is configured on the server. This requires also the KDC to be available on the Internet. In my opinion, giving a front-end server Kerberos delegation privileges on a front-end server is error-prone and it will probably ending up increasing the attack surface.

A question is what they mean by Single Sign-On. Is it the transient flow where the user does not have to input any credentials, but are automagically authenticated, or do they mean that the user can use the same username/password in SuperOffice as for other services and the password is managed centrally? The latter one would work fine with 3-tier setup. However, in this case, the password will be collected by SuperOffice in the Login form, and then sent to the third-party (Active Directory). 

 

 

Av: Hans Oluf Waaler 9. aug 2016

RE: SSO an SuperOffice 8.0 SR2 web

Thanks for clearifying this. It is the automatic login, based on their Windows (AD) login.

Best recommendation then would be Web and Netserver installed in the LAN and use a reverse proxy to reach it, I guess!?

Av: Stein Ove Sektnan 9. aug 2016

RE: SSO an SuperOffice 8.0 SR2 web

I'm unsure if using a reverse proxy with SSO would work. I don't think we have tested that setup. 

 

Edit:

No, it won't work. The reason is that the client will think it is authenticating towards the reverse proxy server while it is actually authenticating towards the backend server.

Av: Hans Oluf Waaler 12. aug 2016

RE: SSO an SuperOffice 8.0 SR2 web

Hello

Hans: Does this mean it is not supported with e.g. a NetScaler and SSO? Have you found a way to set up SSO with reverse proxy, or is this not supported as well?

 

//Eivind 

Av: Eivind Johan Fasting 3. feb 2017

RE: SSO an SuperOffice 8.0 SR2 web

Did you get any answers regarding the Netscaler questions? We are facing the same questions from one of our biggest customers.

Av: Mikael Månsson 31. maj 2018

RE: SSO an SuperOffice 8.0 SR2 web

Hello, 

We have set up SuperOffice with a NetScaler in front, with 2factor-authentication for external access, and it works pretty well. 

The only issue is that webTools and Mailink dont support 2factor, and i never figured out exactly what webTools need to function correctly. We filtered all requests towards mailingservice.svc and trayapp2.svc to be reachable without 2factor, and that made maillink work as it should but webtools is unable to detect that you have a session of SuperOffice open.  

In my case the customer only wanted the application to be reachable externally through the NetScaler/2factor, but internally it should run without it. They didnt mind that webTools didnt work, as long as they were able to open SuperOffice and download the files manually (as without webtools installed on a machine). They can also archive important emails from outlook in to SuperOffice. 

Hope this helps!

//Eivind





Av: Eivind Johan Fasting 4. jun 2018