Track if Clarity has received the header or cookie from SSO (On Premise non SAML)
search cancel

Track if Clarity has received the header or cookie from SSO (On Premise non SAML)

book

Article ID: 39838

calendar_today

Updated On:

Products

Clarity PPM On Premise

Issue/Introduction

You are integrating On Premise Clarity with a Single Sign On solution (not SAML).  You are not sure if Clarity is receiving the SSO Auth. token (header or cookie).

How can you troubleshoot?

Environment

Release: All 
Component: Clarity On Premise

SSO non SAML

Resolution

Application of Clarity patches and/or Clarityupgrades will revert the changes mentioned below.

First identify the name of the cookie or token being used for Single Sign On in the PPM CSA (NSA).

  1. Login to the NSA and go to the security tab 
  2. Confirm the value for token, for example: "SSO_TOKEN" 
  3. Navigate to the following folder on the Clarity Server
    cd <CLARITY HOME>/.setup/scripts
  4. Make a backup copy
  5. Open the commondeploy.xml file for editing:
    1. Look for this section:

      <choose property="app.access.valve.configuration"> 

      <when value="default"> 

      <override name="app.access.valve.class.name" value="org.apache.catalina.valves.AccessLogValve"/> 

      <override name="app.access.valve.pattern" value="%h|%t|%r|%s|%b|%D|%{sessionId}c"/>

    2. Edit the line:
      <override name="app.access.valve.pattern" value="%h|%t|%r|%s|%b|%D|%{sessionId}c"/>

    3. Change it to read:
      <override name="app.access.valve.pattern" value="%h|%t|%r|%s|%b|%D|%{sessionId}c|%{User-Agent}i|%{SSO_TOKEN}i|%{SSO_TOKEN}c"/>
      Note: The "c" or "i" that appear after the token represent a "cookie" or "header" respectively.

    4. Save the file 

  6. Deploy the app and start the “app” service
    <clarity>/bin/service deploy stop start app

  7. Validate the change in /opt/clarity/tomcat-app-deploy/conf/server.xml
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="/opt/clarity/logs" prefix="app-access-" suffix=".log" pattern="%h|%t|%r|%s|%b|%D|%{sessionId}c|%{User-Agent}i|%{SSO_TOKEN}i|%{SSO_TOKEN}c" resolveHosts="false" />

  8. The <CLARITY_HOME>/logs/app-access* log files will now include the SSO header or cookie, for example:

x.x.x.x|[16/Mar/2016:09:19:30 -0700]|POST /niku/nu?uitk.logger&actionId=itl.incidentObject HTTP/1.1|200|-|1|5637607__873BB31C-754E-46F1-A00F-6E68FE4ED54A|Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; QAM; AuthQSWsystem; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322; InfoPath.3)|[email protected]|-

In the example above, the "[email protected]" is the SSO header as it came in as an HTTP Header.