Setting up single sign-on

You can use the Single Sign-on (SSO) feature to log in to Klocwork automatically. You must be using Active Directory (AD) on Windows and be logged into your Windows account.

In order to set up this access control method, you will need to complete the following steps:
  • Collect all relevant information, where appropriate
  • Use Klocwork security utility to modify the server configuration. See Configuring your access control method
  • Restart the Klocwork Server to switch to the new configuration

Once the set up is complete, the AD server will provide the names of individuals and groups for you to choose from in Validate. Klocwork's access to the AD server is read-only, but you can also create your own groups in Validate.

As the Klocwork administrator, you may configure access control yourself, or you may provide the data to the domain server administrator, who will do the setup. In either case, the tables in the next section list the information needed to set up your SSO access control.

What you need to know

Passwords of AD users, including yours as the Klocwork administrator, are managed in AD.

The following table lists the setting information required in order to configure SSO access in kwauthconfig:

Klocwork setting Description Example
Provider URL The URL for your LDAP server, which is ldap://<host>:<port>, where:
  • <host>:<port> is the LDAP server host name or IP address and the LDAP server port (the default is 389)
ldap://server.mycompany.com:389 ldap://10.0.160:389
Principal user's name The optional DN for the Klocwork Server to use to log in to the AD server for retrieval of the list of users. This setting is used only when the AD server needs an authenticating user. cn=Directory Manager,ou=People,dc=mycompany,dc=com
Password The password for the optional principal user.  
Group providers The optional distinguished names (DNs) of the AD objects that store user group definitions. The DN is the path from the AD tree node that contains user groups to the directory tree root, with the node names separated by commas. ou=userGroups,dc=mycompany,dc=com
LDAP Group Filter Used to filter the group entries in the directory and produce the desired set of matching records within the set of group providers. (objectCategory=Group)
User Providers The distinguished names (DNs) of the AD objects that store user definitions. The DN is the path from the AD tree node that contains users to the directory tree root, with the node names separated by commas. ou=People,dc=mycompany,dc=com
LDAP User Filter Used to filter the user entries in the directory in order to produce the desired set of matching records within the set of user providers. (objectCategory=Person)
User attributes

Every entity in the AD can have multiple attributes. Any particular user's name is a value associated with an attribute of the corresponding AD entity. One user can have several names by means of different attributes. In the User Attributes field, you can specify one or more attributes that contain user names. The default user attribute is cn (which stands for Common Name).

Validate displays only the value of the first (left-most) attribute as the user's name. Therefore, if you have multiple users with identical common names, it will display identical names for these users. To prevent confusion, put a unique attribute first.

cn, sAMAccountName
Search Page Size To optimize server load and prevent hacker attacks, organizations sometimes limit the number of entries the AD server can return (in server settings). The Klocwork Server can time out waiting for the rest of the information. If you know that your AD server has limits to the number of entries it can return, you can set the access control to retrieve users and groups from the AD server in chunks. These chunks are called pages. To enable paging, set the value of Search Page Size to the number of the AD entries which should be returned in one page. 1000
User email attribute Defines a user attribute that will hold an email address for users. mail

The following settings will be detected automatically once you have specified your Provider URL, principal user's name and password. You can also configure them manually if required by clicking the Customize settings dialog.

Klocwork setting Description Example
Group providers The optional distinguished names (DNs) of the AD objects that store user group definitions. The DN is the path from the AD tree node that contains user groups to the directory tree root, with the node names separated by commas. ou=userGroups,dc=mycompany,dc=com
LDAP Group Filter Used to filter the group entries in the directory and produce the desired set of matching records within the set of group providers. (objectCategory=Group)
User Providers The distinguished names (DNs) of the AD objects that store user definitions. The DN is the path from the AD tree node that contains users to the directory tree root, with the node names separated by commas. ou=People,dc=mycompany,dc=com
LDAP User Filter Used to filter the user entries in the directory in order to produce the desired set of matching records within the set of user providers. (objectCategory=Person)
User attributes

Every entity in the AD can have multiple attributes. Any particular user's name is a value associated with an attribute of the corresponding AD entity. One user can have several names by means of different attributes. In the User Attributes field, you can specify one or more attributes that contain user names. The default user attribute is cn (which stands for Common Name).

Validate displays only the value of the first (left-most) attribute as the user's name. Therefore, if you have multiple users with identical common names, it will display identical names for these users. To prevent confusion, put a unique attribute first.

cn, sAMAccountName
Search Page Size To optimize server load and prevent hacker attacks, organizations sometimes limit the number of entries the AD server can return (in server settings). The Klocwork Server can time out waiting for the rest of the information. If you know that your AD server has limits to the number of entries it can return, you can set the access control to retrieve users and groups from the AD server in chunks. These chunks are called pages. To enable paging, set the value of Search Page Size to the number of the AD entries which should be returned in one page. 1000
User email attribute Defines a user attribute that will hold an email address for users. mail

Configuring your access control method

  1. Launch the Klocwork security utility, kwauthconfig.

    For more information, see 'Launching Klocwork's security utility' here: Setting up access control

  2. After the utility launches, you will be prompted to provide the location of the project root structure. This location was specified during installation, and is typically: <server_install>\projects_root.
  3. Click Configure.
  4. Select LDAP and click Use single sign-on.
  5. Click Next.
  6. Enter a Provider URL for the AD server in the form ldap://<host>:<port>. If you don't specify a port, Klocwork uses 389.
  7. Enter the principal user's name.
  8. Enter the principal user's password, and re-enter it in the field below to confirm it.
  9. Click Next and if Active Directory is detected, your other LDAP settings will be configured automatically.
  10. The next panel will show the detected Active Directory settings. If you need to make any manual changes, click Customize settings.
  11. Once you have confirmed the settings, click Finish and the initial configuration utility screen will appear. Click OK to finalize your changes.
You can verify that the user running kwauthconfig is a valid LDAP user satisfying both the 'ldap.users.provider' and 'ldap.user.filter' values by clicking Test Connection. The Check LDAP connection dialog shows the detected server type by Klocwork (if it was detected). If your AD server was not detected, you'll first want to verify your principal user's credentials are correct on the LDAP server configuration page in the Klocwork Authentication Scheme Configuration Utility (kwauthconfig). If these settings are correct and the server is detected by the wizard, but the Test Connection still fails, it is due to one of the following reasons:
  • Your LDAP server is down, or
  • The user running kwauthconfig is not a valid LDAP user, or
  • You have specified a bad user provider and/or user filter

If you are able to log in to Validate, the user provider and filter settings are correct. To verify group settings, log in as projects_root admin and access the Users tab. From here, you can search for groups that satisfy the 'ldap.groups.provider' and 'ldap.group.filter' settings that were set using the kwauthconfig tool.

You must restart the Klocwork Server with the command validate service --projects-root <projects_root> restart klocwork or with Windows Services administration.

Internet Explorer and Google Chrome users:

On Windows, if single sign-on is enabled but you see a browser login dialog, do the following to enable automatic authentication:

Ensure that Integrated Windows Authentication is enabled:
  1. Open your start menu and go to Control Panel > Network and Internet > Internet Options.
  2. Select the Advanced tab.
  3. Scroll down to the Security section and check Enable Integrated Windows Authentication.
  4. Restart your browser.
The target website must be in the Intranet Zone:
  1. Navigate to the product portal (For example, http://localhost:8080/portal/Portal.htm).
  2. Open your start menu and go to Control Panel > Network and Internet > Internet Options.
  3. Select the Security tab, click on the Local intranet icon, and click on Sites.
  4. Check Automatically detect intranet network. If this does not solve the issue, click Advanced and add the product portal to the list of sites.

Firefox users:

If you use Firefox, you need to do the following to finalize your SSO configuration:

  1. Type about:config in your browser's address bar.
  2. Begin typing network.automatic-ntlm-auth.trusted-uris in the Search or Filter box.
  3. When the list of preference names appears, double-click network.automatic-ntlm-auth.trusted-uris.
  4. In the "Enter string value" box, type the <host>:<port> name of the server that the Klocwork Server is running on. For example, http://server11:8080/
  5. Click OK.

What's next?

Now that you've set up AD access control in kwauthconfig, you're ready to create roles for your users in Validate. See Enabling access to Klocwork projects.