SSO - Jedox 5.1 SR5 - Authenticating Windows users while keeping their internal Jedox Groups

    SSO - Jedox 5.1 SR5 - Authenticating Windows users while keeping their internal Jedox Groups

    Currently configuring Jedox 5.1 SR5 - I'm looking for a "OnWindowsUserAuthorize" Template, that offers the abilty to Authenticate (sso) Wndows users while keeping their internal Jedox Groups.

    Thanks in advance.

    you can use the OnWindowsUserAuthorize event to define a new set groups for the user instead of those returned by third party system. E.g. in your php code, you can try to access System DB, read the User's groups (which of course you then have to maintain manually), and set those.
    And here is the problem (not sure if this is Oliviers problem as well).
    I dont want to refelct the jedox groups in the AD. The only thing I want to use is an automatic password check against the AD without using any group information from either side.
    The group in AD are completely different from the ones in Jedox and vice versa.

    I just want to have some kind of single sign on behaviour when the user opens a certain URL (in our scenario this would be the main page of the web standalone environment).
    Hi all,
    I'm exactly trying to do that.
    I'currently trying to implement a workaround: extracting user's jedox groups and filling
    &groups parameter in function OnWindowsUserAuthorize.
    It doen't work for the moment : I think my group array structure is not valid!

    the function looks like this :

    Source Code

    1. public function OnWindowsUserAuthorize($domain, $username, array $winGroups, array& $groups) { // bool
    2. $Test_User = "";
    3. $User_Group = "";
    4. $Login_User = $domain.'\\'.$username;
    5. sep_log("<< User Windows authorize: domain $domain, username $username, WindowsGroup $winGroups[0], Domain User $Login_User>>");
    6. $Test_User = palo_ename("SupervisionServer/System","#_USER_",$Login_User);
    7. $Allgroups = palo_dimension_list_elements("SupervisionServer/System","#_GROUP_");
    8. $i=0;
    9. $j=0;
    10. foreach ($Allgroups as $value) {
    11. $User_Group = $value['name'];
    12. $Is_User_group = palo_data("SupervisionServer/System","#_USER_GROUP",$Login_User,$User_Group);
    13. // sep_log("test Group $i: $User_Group - $Is_User_group");
    14. if ($Is_User_group == 1) {
    15. sep_log("User $Login_User belongs to $User_Group");
    16. $groups[$j] = $User_Group; // here I put jedox group!
    17. $j++;
    18. }
    19. $i++;
    20. }
    21. // small check for debug:
    22. sep_log("User $Login_User in now trying to connect JEDOX with groups : ");
    23. foreach ($groups as $value) {
    24. sep_log("Group : $value");
    25. }
    26. sep_log("<<END - On Windows User Authorize >>");
    27. return true;
    28. }

    Thanks in advance for any ideas.

    Hi Olivier,

    I have the impression that the $groups variable cannot be overridden, the parameter is passed by reference (hence the & before the variable)

    try to remove the & before the parameter, then you should be able to override it

    not tested though.

    hope this helps!

    Post hoc, non est propter hoc
    Finally it works : the problem came from the last lines of the function:

    Olivier Chatelain wrote:

    // small check for debug:

    sep_log("User $Login_User in now trying to connect JEDOX with groups : ");
    foreach ($groups as $value) {
    sep_log("Group : $value");

    I assume, the foreach instruction modify the & pointer value. We can now authenticate ourselves with AD accounts and keeping Jedox groups.

    Warm regards.


    I used the following examples from svs/samplescripts folder:
    • adLDAP.php
    I made a copy in svs/custom_scripts renaming them:
    • adLDAP.php
    Finally, I modified in svs folder to use my custom scripts:

    PHP Source Code

    1. <?php
    2. include './custom_scripts/';
    3. ?>

    You can then modify class SEPEventHandler extends SEPEventHandlerBase and rewrite the function OnWindowsUserAuthorize($domain, $username, array $winGroups, array& $groups

    For sso, you don't need adLDAP.php library, but I implement it to use also a standard LDAP authentication (it's useful when testing on a user PC with a different account).

    Take care.

    Hi, one remark,

    To ensure the sso process my user account are created : domain\useraccount in jedox, where domain is the net bios domain name.

    Zum beispiel TEISAN\Alvin.tang

    Then, if I perform an ldap authentication, we had to split the account username from the domain.

    Macht es gut.

    Hi Olivier,

    unfortunately I hit the same problem.
    A user containing "domain\" as profix was created once sso was configured correctly.

    But this is a huge issue because all of the users are already contained in System-Database without the domain-prefix.
    Do you think there is a way to supress the creation of new elements containing the domain and use the user already created?

    If possible the system should recognize a user only as "username" and nothing else.

    Regards, Peer.