Author Topic: Pro Cloud/WebEA and log in (Single Sign On)  (Read 1535 times)

Eamonn John Casey

  • EA User
  • **
  • Posts: 102
  • Karma: +0/-1
    • View Profile
Pro Cloud/WebEA and log in (Single Sign On)
« on: September 13, 2017, 04:12:16 am »
Hello,

We got an EA 13.5 installation and have downloaded the ProCloud/WebEA trial. I got it to work in our local network but it seems that WebEA doesn't support Single Sign On. That I type in my Active Directory credentials.

I open Enterprise Architect normally with my Active Directory credentials. But from WebEA it doesn't accept my credentials. I must set the password in the EA client to something so I can use WebEA.

Is this a bug or an oversight. Or maybe it is a setup thing on the web server.

Anyone hit this problem?

EjC

Eamonn John Casey

  • EA User
  • **
  • Posts: 102
  • Karma: +0/-1
    • View Profile
Re: Pro Cloud/WebEA and log in (Single Sign On)
« Reply #1 on: September 21, 2017, 02:44:24 am »
The answer I found was to go into EA Client and change your password inside in the EA model database (not Active Directory). It is this password that is used in the Pro Cloud /WebEA login and has nothing to do with SSO/Active Directory password.

Oversight in the documentation maybe. But it makes sense if the user is not a network user. i.e. Guest/Guest.

Paolo F Cantoni

  • EA Guru
  • *****
  • Posts: 6148
  • Karma: +83/-85
  • Inconsistently correct systems DON'T EXIST!
    • View Profile
Re: Pro Cloud/WebEA and log in (Single Sign On)
« Reply #2 on: September 21, 2017, 09:56:29 am »
The answer I found was to go into EA Client and change your password inside in the EA model database (not Active Directory). It is this password that is used in the Pro Cloud /WebEA login and has nothing to do with SSO/Active Directory password.

Oversight in the documentation maybe. But it makes sense if the user is not a network user. i.e. Guest/Guest.
Yes, but in EA you can mix and match both types of users. Imported (i.e. from AD) or local (direct in the repository).  It surprises me that you can't do the same with the Pro Cloud/WebEA.

Or have I missed something?  Single sign-on would be a big thing for us.  We're not ready to try Pro Cloud/WebEA but hope to soon.

Paolo
Inconsistently correct systems DON'T EXIST!
... Therefore, aim for consistency; in the expectation of achieving correctness....
-Semantica-
Helsinki Principle Rules!

Simon M

  • EA Administrator
  • EA Guru
  • *****
  • Posts: 6354
  • Karma: +54/-5
    • View Profile
Re: Pro Cloud/WebEA and log in (Single Sign On)
« Reply #3 on: September 21, 2017, 10:09:29 am »
Importing users from Active Directory into EA doesn't solve this problem. When you use that function within EA, it's usually in the context of using 'Accept Windows Authentication'. EA creates the users, but that's all. If you tried to explicitly log-in to another user, you couldn't because there is no valid password.

When authenticating users in the cloud server and web ea, it authenticates against the users in the database.

I'd like to get an Active Directory/SSO authentication working, but it's not that simple.
Simon

support@sparxsystems.com

Paolo F Cantoni

  • EA Guru
  • *****
  • Posts: 6148
  • Karma: +83/-85
  • Inconsistently correct systems DON'T EXIST!
    • View Profile
Re: Pro Cloud/WebEA and log in (Single Sign On)
« Reply #4 on: September 21, 2017, 11:34:21 am »
Importing users from Active Directory into EA doesn't solve this problem. When you use that function within EA, it's usually in the context of using 'Accept Windows Authentication'. EA creates the users, but that's all. If you tried to explicitly log-in to another user, you couldn't because there is no valid password.

When authenticating users in the cloud server and web ea, it authenticates against the users in the database.

I'd like to get an Active Directory/SSO authentication working, but it's not that simple.
Thanks for the clarification, Simon,

I did understand about "Accept Windows Authentication", but not that it didn't apply here.  However, it got me thinking.  Is there a "hack" where one could add a password to the imported user and use that User & Password combination from the Web?  Would that invalidate the "Accept Windows Authentication" mechanism?

Is that what you did  Eamonn?

Paolo

Inconsistently correct systems DON'T EXIST!
... Therefore, aim for consistency; in the expectation of achieving correctness....
-Semantica-
Helsinki Principle Rules!

Eamonn John Casey

  • EA User
  • **
  • Posts: 102
  • Karma: +0/-1
    • View Profile
Re: Pro Cloud/WebEA and log in (Single Sign On)
« Reply #5 on: September 21, 2017, 07:35:56 pm »
When importing users from Active Directory the EA Client understands it is a Active Directory credential and uses SSO. But coming through WebEA (which could be from anywhere) EA does not have a reference point so it defaults to the internal t_secuser credential.

So if you want to use Pro Cloud and WebEA you need to set your password inside in the EA Client.

But this is sort of logical because not everyone outside needs to have an Active Directory account.

Simon M

  • EA Administrator
  • EA Guru
  • *****
  • Posts: 6354
  • Karma: +54/-5
    • View Profile
Re: Pro Cloud/WebEA and log in (Single Sign On)
« Reply #6 on: September 22, 2017, 08:29:06 am »
When importing users from Active Directory the EA Client understands it is a Active Directory credential and uses SSO.
No, it really doesn't...

What you are seeing is that "Accept Windows Authentication" logs you in as the t_secuser that matches your Windows username. The login prompt is suppressed, but in my opinion at least it doesn't qualify as a single sign on implementation.
Simon

support@sparxsystems.com

Paolo F Cantoni

  • EA Guru
  • *****
  • Posts: 6148
  • Karma: +83/-85
  • Inconsistently correct systems DON'T EXIST!
    • View Profile
Re: Pro Cloud/WebEA and log in (Single Sign On)
« Reply #7 on: September 22, 2017, 09:45:44 am »
When importing users from Active Directory the EA Client understands it is a Active Directory credential and uses SSO.
No, it really doesn't...

What you are seeing is that "Accept Windows Authentication" logs you in as the t_secuser that matches your Windows username. The login prompt is suppressed, but in my opinion at least it doesn't qualify as a single sign on implementation.
That was my understanding.  And I (and our Security Architect - who sits next to me) agree that it doesn't qualify as SSO.

Thanks again, Simon.

Paolo
Inconsistently correct systems DON'T EXIST!
... Therefore, aim for consistency; in the expectation of achieving correctness....
-Semantica-
Helsinki Principle Rules!