Environment
Teaming and Conferencing v1.03
Resolution
Integrating Novell Teaming and Conferencing with iChain 2.3
Introduction:
Novell recently released it's Teaming and Conferencing product which include team workspace and real-time collaboration solutions. These solutions will help boost end-user and team productivity and reduce overall customer costs by improving the everyday business processes people engage in to create, share, discuss and manage information.
Novell iChain is an integrated security solution that offers web single sign-on and remote authentication services, including secure authentication and access to portals, and Web-based content.
The following document describes how iChain 2.3 can be used to front end a Teaming and Conferencing solution so that users authenticating to iChain can single sign on to the Teaming and Conferencing resources.
The following tests were performed with iChain 2.3 Support Pack 5 Interim Release 5 and Teaming and Conferencing Server 1.03. Many issues existed with versions of both products prior to the above and it is strongly recommended that administrators upgrade to the above versions at a minimum.
Configuration:
There are a few approaches available when designing a solution. We will attempt to describe the two main iChain configuration options, both of which has been verified with Teaming & Conferencing. Each configuration has advantages and disadvantages and these must be considered before beginning the implementation.
Important Notes
Teaming login form not compatible with formfill – must use OLAC to pass the credentials via the HTTP header
Teaming and Conferencing through a path-based multi-home accelerator's is not supported.
Configuration1 (Single Accelerator Mode)
Advantages:
Uses a single accelerator
Teaming and webDAV content are configured as restricted resources and thus can be controlled with proxy authentication and policy
Disadvantage:
User's see a Basic style login prompt for proxy login for both Teaming and webDAV content
Configuration details:
-Accelerator type: domain-based multi-home
-Authentication Profile: options "Allow authentication through http header" and "Use basic/proxy" authentication" are both enabled
-Alternate Host Name: enabled (internal web server name is different than published dns name)
-SSL enabled on Public side (port 443), non-ssl on private (port 8080)
-OLAC is used to populate custom header "x-Authorization:" with username (uid) for single-sign-on to Teaming
-OLAC is also sending uid:pwd in the standard Authorization header for single-sign-on to WebDAV
-Protected Resource path: /* (Type Restricted)
-Simultaneous Logout: enabled (in installer.xml) and working
Config 2 (Multiple Accelerator Mode)
Advantages:
Both Teaming and webDAV content are configured as restricted resources, with Form type login for Teaming and Basic type login for webDAV
Disadvantage:
Uses two separate accelerators, so two IP addresses are required
Setup Detail:
This configuration requires T+C 1.0.3 (available from https://dl.netiq.com) which provides the ability to specify a unique DNS name for the webDAV server. Also, because iChain authentication profiles are shared between a parent and all child accelerators, the two accelerators used in this configuration must not fall within the same shared authentication profile (in this example, two Master type accelerators are used).
Accelerator 1 (for Teaming content)
-Accelerator type: non-multi-home
-Authentication Profile: Form type login
-Alternate Host Name: enabled
-SSL enabled on Public side (port 443), non-ssl on private (port 8080)
-OLAC is used to populate custom header "x-Authorization:" with username (uid) for single-sign-on to Teaming
-Protected Resource path: /* (Type Restricted)
-Simultaneous Logout: enabled (in installer.xml) and working
Accelerator 2 (for webDAV)
-Accelerator type: non-multi-home
-Authentication Profile: Basic type, options "Allow authentication through http header" and "Use basic/proxy" authentication" are both enabled
-Alternate Host Name: enabled, and matches the webdav url configured in T+C
-SSL enabled on Public side (port 443), non-ssl on private (port 8080)
-OLAC is used to populate the standard Authorization: header with username:password for single-sign-on to webDAV
-Protected Resource path: /ssfs/* (Type Restricted)