Setting up single sign-on
You can use the Single Sign-on (SSO) feature to log in to Klocwork automatically. You must be using Active Directory (AD) on Windows and be logged into your Windows account.
- Collect all relevant information, where appropriate
- Use Klocwork security utility to modify the server configuration. See Configuring your access control method
- Restart the Klocwork Server to switch to the new configuration
Once the set up is complete, the AD server will provide the names of individuals and groups for you to choose from in Validate. Klocwork's access to the AD server is read-only, but you can also create your own groups in Validate.
As the Klocwork administrator, you may configure access control yourself, or you may provide the data to the domain server administrator, who will do the setup. In either case, the tables in the next section list the information needed to set up your SSO access control.
What you need to know
Passwords of AD users, including yours as the Klocwork administrator, are managed in AD.
The following table lists the setting information required in order to configure SSO access in kwauthconfig:
Klocwork setting | Description | Example |
---|---|---|
Provider URL | The URL for your LDAP server, which is ldap://<host>:<port>, where:
|
ldap://server.mycompany.com:389 ldap://10.0.160:389 |
Principal user's name | The optional DN for the Klocwork Server to use to log in to the AD server for retrieval of the list of users. This setting is used only when the AD server needs an authenticating user. | cn=Directory Manager,ou=People,dc=mycompany,dc=com |
Password | The password for the optional principal user. | |
Group providers | The optional distinguished names (DNs) of the AD objects that store user group definitions. The DN is the path from the AD tree node that contains user groups to the directory tree root, with the node names separated by commas. | ou=userGroups,dc=mycompany,dc=com |
LDAP Group Filter | Used to filter the group entries in the directory and produce the desired set of matching records within the set of group providers. | (objectCategory=Group) |
User Providers | The distinguished names (DNs) of the AD objects that store user definitions. The DN is the path from the AD tree node that contains users to the directory tree root, with the node names separated by commas. | ou=People,dc=mycompany,dc=com |
LDAP User Filter | Used to filter the user entries in the directory in order to produce the desired set of matching records within the set of user providers. | (objectCategory=Person) |
User attributes |
Every entity in the AD can have multiple attributes. Any particular user's name is a value associated with an attribute of the corresponding AD entity. One user can have several names by means of different attributes. In the User Attributes field, you can specify one or more attributes that contain user names. The default user attribute is cn (which stands for Common Name). Validate displays only the value of the first (left-most) attribute as the user's name. Therefore, if you have multiple users with identical common names, it will display identical names for these users. To prevent confusion, put a unique attribute first. |
cn, sAMAccountName |
Search Page Size | To optimize server load and prevent hacker attacks, organizations sometimes limit the number of entries the AD server can return (in server settings). The Klocwork Server can time out waiting for the rest of the information. If you know that your AD server has limits to the number of entries it can return, you can set the access control to retrieve users and groups from the AD server in chunks. These chunks are called pages. To enable paging, set the value of Search Page Size to the number of the AD entries which should be returned in one page. | 1000 |
User email attribute | Defines a user attribute that will hold an email address for users. |
The following settings will be detected automatically once you have specified your Provider URL, principal user's name and password. You can also configure them manually if required by clicking the Customize settings dialog.
Klocwork setting | Description | Example |
---|---|---|
Group providers | The optional distinguished names (DNs) of the AD objects that store user group definitions. The DN is the path from the AD tree node that contains user groups to the directory tree root, with the node names separated by commas. | ou=userGroups,dc=mycompany,dc=com |
LDAP Group Filter | Used to filter the group entries in the directory and produce the desired set of matching records within the set of group providers. | (objectCategory=Group) |
User Providers | The distinguished names (DNs) of the AD objects that store user definitions. The DN is the path from the AD tree node that contains users to the directory tree root, with the node names separated by commas. | ou=People,dc=mycompany,dc=com |
LDAP User Filter | Used to filter the user entries in the directory in order to produce the desired set of matching records within the set of user providers. | (objectCategory=Person) |
User attributes |
Every entity in the AD can have multiple attributes. Any particular user's name is a value associated with an attribute of the corresponding AD entity. One user can have several names by means of different attributes. In the User Attributes field, you can specify one or more attributes that contain user names. The default user attribute is cn (which stands for Common Name). Validate displays only the value of the first (left-most) attribute as the user's name. Therefore, if you have multiple users with identical common names, it will display identical names for these users. To prevent confusion, put a unique attribute first. |
cn, sAMAccountName |
Search Page Size | To optimize server load and prevent hacker attacks, organizations sometimes limit the number of entries the AD server can return (in server settings). The Klocwork Server can time out waiting for the rest of the information. If you know that your AD server has limits to the number of entries it can return, you can set the access control to retrieve users and groups from the AD server in chunks. These chunks are called pages. To enable paging, set the value of Search Page Size to the number of the AD entries which should be returned in one page. | 1000 |
User email attribute | Defines a user attribute that will hold an email address for users. |
Configuring your access control method
- Launch the Klocwork security utility, kwauthconfig.
For more information, see 'Launching Klocwork's security utility' here: Setting up access control
- After the utility launches, you will be prompted to provide the location of the project root structure. This location was specified during installation, and is typically: <server_install>\projects_root.
- Click Configure.
- Select LDAP and click Use single sign-on.
- Click Next.
- Enter a Provider URL for the AD server in the form ldap://<host>:<port>. If you don't specify a port, Klocwork uses 389.
- Enter the principal user's name.
- Enter the principal user's password, and re-enter it in the field below to confirm it.
- Click Next and if Active Directory is detected, your other LDAP settings will be configured automatically.
- The next panel will show the detected Active Directory settings. If you need to make any manual changes, click Customize settings.
- Once you have confirmed the settings, click Finish and the initial configuration utility screen will appear. Click OK to finalize your changes.
- Your LDAP server is down, or
- The user running kwauthconfig is not a valid LDAP user, or
- You have specified a bad user provider and/or user filter
If you are able to log in to Validate, the user provider and filter settings are correct. To verify group settings, log in as projects_root admin and access the Users tab. From here, you can search for groups that satisfy the 'ldap.groups.provider' and 'ldap.group.filter' settings that were set using the kwauthconfig tool.
You must restart the Klocwork Server with the command validate service --projects-root <projects_root> restart klocwork or with Windows Services administration.
Internet Explorer and Google Chrome users:
On Windows, if single sign-on is enabled but you see a browser login dialog, do the following to enable automatic authentication:
- Open your start menu and go to Control Panel > Network and Internet > Internet Options.
- Select the Advanced tab.
- Scroll down to the Security section and check Enable Integrated Windows Authentication.
- Restart your browser.
- Navigate to the product portal (For example, http://localhost:8080/portal/Portal.htm).
- Open your start menu and go to Control Panel > Network and Internet > Internet Options.
- Select the Security tab, click on the Local intranet icon, and click on Sites.
- Check Automatically detect intranet network. If this does not solve the issue, click Advanced and add the product portal to the list of sites.
Firefox users:
If you use Firefox, you need to do the following to finalize your SSO configuration:
- Type about:config in your browser's address bar.
- Begin typing network.automatic-ntlm-auth.trusted-uris in the Search or Filter box.
- When the list of preference names appears, double-click network.automatic-ntlm-auth.trusted-uris.
- In the "Enter string value" box, type the <host>:<port> name of the server that the Klocwork Server is running on. For example, http://server11:8080/
- Click OK.
What's next?
Now that you've set up AD access control in kwauthconfig, you're ready to create roles for your users in Validate. See Enabling access to Klocwork projects.