Novell Home

My Favorites

Close

Please to see your favorites.

iChain 2.3 with exteNd Director 5.2

(Last modified: 30Mar2005)

This document (10097139) is provided subject to the disclaimer at the end of this document.

fact

 iChain 2.3

exteNd Director 5.2

goal

iChain 2.3 with exteNd Director 5.2

fix

All the information in this document is from testing notes based on  iChain 2.3 SP2 with exteNd 5.2 SP1 and was done using Express Portal, the sample portal application supplied with exteNd Director. Testing was performed with typical iChain features as follows::

  • Non-multi-home accelerators
  • Domain-based  multi-home
  • Path-based multi-home ("Remove sub-path from URL" disabled)
  • Secure Fill enabled one and both sides of proxy
  • Single sign on methods of Forward auth, OLAC, and FormFill
  • ACL

Features of Express Portal covered in this testing included the following:

  • Bookmark portlet
  • eGuide portlet
  • Flash portlet
  • Google portlet
  • GroupWise Calendar portlet
  • GroupWise mail portlet
  • GroupWise mail/calendar portlet
  • GroupWise WebAccess portlet
  • iFrame portlet
  • Links portlet
  • MyBookmarks portlet
  • NetMail portlet
  • NetStorage portlet
  • Network file portlet (CIFS, NJCL, RMI)
  • News Group portlet
  • Password Change portlet
  • Webmail portlet (POP and IMAP)
  • Simultaneous logout
  • Scoped paths

Access URLÂ’s:

User and administrator access is similar to http(s)://<DNSname>/ExpressPortal. If the Authorization header is populated with valid user credentials (as with Forward authentication or OLAC single sign on methods), the user will be authenticated to portal and see user specific content. If Authorization header credentials are not present or are invalid, the user will see an introduction page used for a guest user.

A URL similar to http(s)://<DNSname>/ExpressPortal/portal/portlet/LoginPortlet can also be used. This will bring up a login form that can be used with iChain's FormFill method of single sign on.

Known issues:

100368742: Do not use path-based multi-home accelerators with option "Remove sub-path from URL" enabled.

Accelerator configuration notes:

When accessing Express Portal through iChain, it is very impor.tant to understand the behavior of portlets and other content present on the portal server.

Most portlets will use one of the following connection scenarios:

1. Portal Server to Content Web Server only

A server-to-server connection is established between the Express Portal server and the origin web server providing content for the portlet. There is no need for the user's browser to connect to the Content Web Server. The portlet's connection URL should be configured to allow a direct connection between the servers (i.e. does not get routed through iChain)

2. Browser-to-Content Web Server only

In this case, the portlet simply provides links which redirect the browser to the appropriate Content Web Server. If the Content Web Server is also being accelerated by iChain, consideration must be given to the URL('s) configured in the portlet to allow iChain rewriting to occur properly so that the user's browser gets redirected to the appropriate accelerator for the Content Web Server.

3.Portal Server to Content Web Server AND Browser-to-Content Web Server

In this case, the portal server establishes a connection with the Content Web Server, perhaps to provide authentication on behalf of the user and populate the portlet with initial data, then redirects the browser to connect directly to the Content Web Server when the user clicks links within the data displayed in the portlet.

If the Content Web Server is also being accelerated by iChain, consideration must be given to the URL('s) configured in the portlet so that  the server-to-server connection occurs directly (i.e. NOT thru iChain) and  to allow iChain rewriting to occur properly so that the user's browser gets redirected to the appropriate accelerator for the Content Web Server.

Portlets that use Portal Server to Content Web Server connections only

Network file portlet (CIFS, NJCL, RMI)
Webmail portlet (POP and IMAP)

Portlets that use Portal Server to Content Web Server AND Browser-to-Content Web Server connections:

eGuide portlet
GroupWise Calendar portlet
GroupWise mail portlet
GroupWise mail/calendar portlet
GroupWise WebAccess portlet
NetMail portlet
NetStorage portlet

exteNd director can be configured to detect the presence of an iChain cookie for the purpose of performing simultaneous logout . iChain accelerator option "Forward iChain Cookie to web server" should be enabled if this feature is used.

SSO notes:

All methods of iChain single sign on are compatible: Forward authentication, OLAC, and FormFill.

Note that exteNd must be enabled to accept LDAP formatted names if iChain's simple "Forward authentication information to web server" option is used for SSO.

Below is a sample FormFill script used during testing. Note the <url> value is one which allows the user to bypass the initial Express Portal guest page.

<urlPolicy>
   <name>DirectorLoginFail</name>
   <url>external.dskads.citinc.novell.com/ExpressPortal/portal/portlet/LoginPortlet</url>
   <formCriteria>
      <title>LoginPortlet</title>
      Invalid user or password
   </formCriteria>
   <actions>
      <deleteRemembered>DirectorLogin</deleteRemembered>
   </actions>
</urlPolicy>

<urlPolicy>
   <name>DirectorLogin</name>
   <url>external.dskads.citinc.novell.com/ExpressPortal/portal/portlet/LoginPortlet</url>
   <formCriteria>
      <title>LoginPortlet</title>
   </formCriteria>
   <actions>
      <fill>
 <input name="uid"     value="~">
 <input name="pwd" value="~">
      </fill>
      <post/>
   </actions>
</urlPolicy>

Miscellaneous:

exteNd's "Scoped Paths" feature allows sharing of user login credentials between the portal server and the portlets. This feature was introduced in exteNd 5.2 but fixes in SP1 are necessary for proper behavior.

Scoped path configuration depends on how the user initially gets authenticated to the portal itself (i.e. thru Authorization header credentials, login form, etc), and on the credential format requirements of the portlet (simple name, LDAP name, etc). Use of iChain SSO methods such as Forward authentication, OLAC, or Formfill must be considered when configuring Scoped Paths. See exteNd documentation for full details on configuring scoped path values.

General guidelines for using Scoped Paths with iChain SSO:

When using iChain's Forward authentication or OLAC to provide single sign on to  the portal, use the following scoped path entries:

${Request/api/getUserID}(returns LDAP dn, ex. "cn=user1,o=novell")

-OR-

${User/attr/uid} (returns simple name, ex. "user1")

${Request/api/getPassword} (returns password)

When using Form Fill, use the following scoped path entries:

${Application/login-user} (returns the users simple name, ex: user1)
${Application/login-pass}

.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10097139
  • Solution ID: NOVL101540
  • Creation Date: 30Mar2005
  • Modified Date: 30Mar2005
    • NetIQiChain

Did this document solve your problem? Provide Feedback