Supported Operating Systems:
The EEM server can be installed on the SPECTRUM or eHealth server, but if possible the best option would be to install it as a standalone.
Follow the instructions in the e Trust? Identity and Access Management Toolkit
Getting Started Guide, to install the server. Chapter 2 is for Windows, and Chapter 3 is for Linux or UNIX.
No other steps in the guide need to be followed to install the EEM server. The steps in Chapters 4,5 and 6 do not apply to the integration.
Once the server has been installed please ensure the following has been done:
LDAP Configuration for EEM:
The following steps need to be done on the EEM server.
Select the Configure tab to complete these steps
Select the Reference from an external directory option
Enter the Type of external directory
Enter the correct criteria based on your LDAP configuration
Use the Refresh status option at the bottom of the page to ensure that the status is OK (green)
Spectrum Single Sign-On User Information:
If any changes need to be made they can be made in OneClick by selecting the Users tab
Users who will have access to Spectrum must have accounts created in Spectrum. The account name must match the name as it exists on the LDAP server. Account Names are case sensitive to both the LDAP server. If there are case differences between the SPECTRUM account name and the LDAP name authentication will fail
*A Spectrum web password is required, but it does not need to be the same as the LDAP password. Entering this password will only give a user access IF Single Sign-On is disabled.
Spectrum Single Sign-On Configuration:
The following options can be made on the OneClick Administration >Single Sign On Configuration page
Enable EEM as the SSO Option, Enter the EEM Server Name, Enter the Cookie Domain (site domain name)Enter Spectrum application Name in EEM Enter a log filename (Optional) Fill this in if the test option below fails Test using an LDAP user (does not need to be a user who has already been added to Spectrum)
Spectrum EEM-LDAP Considerations:
When configuring LDAP for EEM, the only way to disable users logging into Spectrum through LDAP is to select the No Single Sign-On option.
If you have the following setting on a user model it will not be enforced if the EEM server is used.
The "legacy" option of allowing a user to login if the LDAP User [or server] is not found, does not work when using EEM.
You can check by this in OneClick by selecting a User model and expanding the LDAP configuration option
eHealth Single Sign-On User Information:
Users who will have access to eHealth, must also have web accounts created in eHealth with the appropriate access.
*This user must also exist in Spectrum as well. This ensures that the integration launch points from Spectrum into eHealth will not ask for an additional sign on.
eHealth EEM-LDAP Considerations:
When integrating eHealth with EEM & LDAP, users who are NOT in LDAP will still have the ability to login to eHealth.
This can be both good and bad. Our recommendation to prevent being locked out from eHealth if LDAP is down would be to keep an admin user as a non LDAP user ? and/or limit the number of users who can access eHealth without LDAP.
eHea.lth Single Sign-On Configuration:
Once LDAP for EEM is configured, be sure to run the nhWebSso.sh command.
If you?ve already run it for individual users, you must run it again to sync it with the LDAP configuration.
./nhWebSso ?hostname <hostname of EEM server>
Do not use the option ?disable fallback option when issuing the command
nhWebSso on the eHealth server. This option will disable Single Sign On which will cause all subsequent attempts to login to fail
eHealth/Spectrum Single Sign-On Integration changes:
Since Spectrum will not allow non LDAP users to authenticate without disabling SSO, eHealth must now be configured to use an LDAP user present in Spectrum to keep the integration.
Run the ./nhSpectrumSetup command on the eHealth server
Change the non LDAP spectrum user to an LDAP spectrum user and click OK.
Since a non LDAP user can still access eHealth, the Spectrum eHealth integration can continue to use the standard eHealth admin non LDAP account.
Should the LDAP server become unavailable, users will not have the ability to log into Spectrum and there will be no way to disable the Single Sign-On in the Spectrum web administration options.
To by bypass this, the EEM configuration must be changed from Reference from an external directory to Store in CA?s Management Database (CA-MDB).
The user(s) must exist in the Manage Identities area of EEM since Single Sign-On is still enabled in Spectrum Web Administration.
Be sure the passwords between Spectrum and EEM users are the same.
Now, you have two options ? add additional users to EEM for the non-LDAP integration or disable Single Sign-On in Spectrum Web Administration.
Removing or renaming the files in the $SPECROOT\custom\sso\config directory will not work.
Best Practice for installing EEM server for SPECTRUM/eHealth integration
(Legacy KB ID CNC TS31682 )