Hi,

I've set up SSO on Content Navigator on WebSphere via kerberos and SPNEGO. Doing a Google search for "business automation workflow case kerberos authentication" I see a web page for BAW entitled

"Configuring IBM Business Automation Workflow to support SSO through Kerberos SPNEGO"

 Which describes how to set up the Case Configuration tool to cater for this SSO method as well.

I'm not sure if this is necessary to call BAW plugins from ICN. But if something in BAW is required to be done, the page applies to BAW version 19.x only. There is no equivalent page for 20.x or 22.x

Can anyone say what happened after 19.x.

Is BAW SSO via Content Navigator handled differently ? Is it unnecessary to do any extra configuration other than the ICN config?

I hope this request makes sense.

Any knowledge appreciated.

Many thanks.

------------------------------
Steve Lonmo
------------------------------

Hi Steve,

did you check the following section in the BAW 20.x documentation?
https://www.ibm.com/docs/en/baw/20.x?topic=environment-configuring-third-party-authentication-products

Best regards,
Michael

------------------------------
Michael Kirchner
Leading Technical Specialist - Digital Business Automation
IBM Technology
Germany
------------------------------

Original Message:
Sent: Fri September 16, 2022 10:25 AM
From: Steve Lonmo
Subject: BAW support for SSO through Kerberos SPNEGO

Hi,

I've set up SSO on Content Navigator on WebSphere via kerberos and SPNEGO. Doing a Google search for "business automation workflow case kerberos authentication" I see a web page for BAW entitled

"Configuring IBM Business Automation Workflow to support SSO through Kerberos SPNEGO"

 Which describes how to set up the Case Configuration tool to cater for this SSO method as well.

I'm not sure if this is necessary to call BAW plugins from ICN. But if something in BAW is required to be done, the page applies to BAW version 19.x only. There is no equivalent page for 20.x or 22.x

Can anyone say what happened after 19.x.

Is BAW SSO via Content Navigator handled differently ? Is it unnecessary to do any extra configuration other than the ICN config?

I hope this request makes sense.

Any knowledge appreciated.

Many thanks.

------------------------------
Steve Lonmo
------------------------------

Hi Michael,

Thank you for the quick reply.

That reference seems to be about using SSO with BAW itself (SSO to Process Admin, Process Portal etc),   We've upgraded from a traditional FileNet Case Manager 5.3.3 system to use the BAW Case Manager equivalent. We're not really interfacing with BAW beyond what is necessary to support the Case Manager functionality.

We're using an external FileNet Content Platform Engine, and External Content Navigator,  using the standard Case Manager bits of BAW (calling BAW Case plugins from Navigator).

The customer requires the Kerberos/SPNEGO SSO config, which is already welI documented, and worked on the traditional Case Manager.
I was was checking if there is anything required on the BAW side in this context to enable the calling of those plugins without a login to BAW being necessary.

My feeling is it shouldn't be necessary to do anything since a manual , non-SSO, login to Content Navigator calls BAW components without explicitly logging into BAW.

Except, I saw the webpage at 
https://www.ibm.com/docs/en/baw/19.x?topic=csss-configuring-business-automation-workflow-support-sso-through-kerberos-spnego
this seemed to imply that work was required on the BAW Case Configuration side to enable SSO from Content Navigator and Case.

Except, this page and a whole suite of other SSO related pages one step up, are only relevant for BAW 19.x. 
There are no equivalent pages for 20.x, 21.x, or  22.x. 
In fact the entire "Configuring single sign on security" section is gone from 20.x and above.
(https://www.ibm.com/docs/en/baw/19.x?topic=solutions-configuring-single-sign-security)
We're using 21.0.3.

Hence the question about what had changed..... 

Thanks.

------------------------------
Steve Lonmo
------------------------------

Original Message:
Sent: Fri September 16, 2022 12:10 PM
From: Michael Kirchner
Subject: BAW support for SSO through Kerberos SPNEGO

Hi Steve,

did you check the following section in the BAW 20.x documentation?
https://www.ibm.com/docs/en/baw/20.x?topic=environment-configuring-third-party-authentication-products

Best regards,
Michael

------------------------------
Michael Kirchner
Leading Technical Specialist - Digital Business Automation
IBM Technology
Germany

Original Message:
Sent: Fri September 16, 2022 10:25 AM
From: Steve Lonmo
Subject: BAW support for SSO through Kerberos SPNEGO

Hi,

I've set up SSO on Content Navigator on WebSphere via kerberos and SPNEGO. Doing a Google search for "business automation workflow case kerberos authentication" I see a web page for BAW entitled

"Configuring IBM Business Automation Workflow to support SSO through Kerberos SPNEGO"

 Which describes how to set up the Case Configuration tool to cater for this SSO method as well.

I'm not sure if this is necessary to call BAW plugins from ICN. But if something in BAW is required to be done, the page applies to BAW version 19.x only. There is no equivalent page for 20.x or 22.x

Can anyone say what happened after 19.x.

Is BAW SSO via Content Navigator handled differently ? Is it unnecessary to do any extra configuration other than the ICN config?

I hope this request makes sense.

Any knowledge appreciated.

Many thanks.

------------------------------
Steve Lonmo
------------------------------

"The customer requires the Kerberos/SPNEGO SSO config,"
When I say that, I mean the Content Navigator WAS configured for kerberos/SSO and ICN built with "Application Server Authentication" - at present I don't plan to do anything on the BAW side.....

------------------------------
Steve Lonmo
------------------------------

Original Message:
Sent: Sun September 18, 2022 08:43 AM
From: Steve Lonmo
Subject: BAW support for SSO through Kerberos SPNEGO

Hi Michael,

Thank you for the quick reply.

That reference seems to be about using SSO with BAW itself (SSO to Process Admin, Process Portal etc),   We've upgraded from a traditional FileNet Case Manager 5.3.3 system to use the BAW Case Manager equivalent. We're not really interfacing with BAW beyond what is necessary to support the Case Manager functionality.

We're using an external FileNet Content Platform Engine, and External Content Navigator,  using the standard Case Manager bits of BAW (calling BAW Case plugins from Navigator).

The customer requires the Kerberos/SPNEGO SSO config, which is already welI documented, and worked on the traditional Case Manager.
I was was checking if there is anything required on the BAW side in this context to enable the calling of those plugins without a login to BAW being necessary.

My feeling is it shouldn't be necessary to do anything since a manual , non-SSO, login to Content Navigator calls BAW components without explicitly logging into BAW.

Except, I saw the webpage at 
https://www.ibm.com/docs/en/baw/19.x?topic=csss-configuring-business-automation-workflow-support-sso-through-kerberos-spnego
this seemed to imply that work was required on the BAW Case Configuration side to enable SSO from Content Navigator and Case.

Except, this page and a whole suite of other SSO related pages one step up, are only relevant for BAW 19.x. 
There are no equivalent pages for 20.x, 21.x, or  22.x. 
In fact the entire "Configuring single sign on security" section is gone from 20.x and above.
(https://www.ibm.com/docs/en/baw/19.x?topic=solutions-configuring-single-sign-security)
We're using 21.0.3.

Hence the question about what had changed..... 

Thanks.

------------------------------
Steve Lonmo

Original Message:
Sent: Fri September 16, 2022 12:10 PM
From: Michael Kirchner
Subject: BAW support for SSO through Kerberos SPNEGO

Hi Steve,

did you check the following section in the BAW 20.x documentation?
https://www.ibm.com/docs/en/baw/20.x?topic=environment-configuring-third-party-authentication-products

Best regards,
Michael

------------------------------
Michael Kirchner
Leading Technical Specialist - Digital Business Automation
IBM Technology
Germany

Original Message:
Sent: Fri September 16, 2022 10:25 AM
From: Steve Lonmo
Subject: BAW support for SSO through Kerberos SPNEGO

Hi,

I've set up SSO on Content Navigator on WebSphere via kerberos and SPNEGO. Doing a Google search for "business automation workflow case kerberos authentication" I see a web page for BAW entitled

"Configuring IBM Business Automation Workflow to support SSO through Kerberos SPNEGO"

 Which describes how to set up the Case Configuration tool to cater for this SSO method as well.

I'm not sure if this is necessary to call BAW plugins from ICN. But if something in BAW is required to be done, the page applies to BAW version 19.x only. There is no equivalent page for 20.x or 22.x

Can anyone say what happened after 19.x.

Is BAW SSO via Content Navigator handled differently ? Is it unnecessary to do any extra configuration other than the ICN config?

I hope this request makes sense.

Any knowledge appreciated.

Many thanks.

------------------------------
Steve Lonmo
------------------------------

If I remember correctly, at the time when IBM Case Manager and IBM Business Process Manager were merged to become IBM Business Automation Workflow, some parts of documentation were copied without full validation.
The chapter about configuring SPNEGO used to describe required configuration for the IBM Case Manager product when running on its own WebSphere or FileNet's WebSphere cell.
Today, when the Case Management apps are deployed to an IBM BAW cell, only https://www.ibm.com/docs/en/baw/20.x?topic=environment-configuring-third-party-authentication-products applies. It describes how to customize authentication for accessing BAW (including the Case Manager apps): Standard WAS customizations (for SPNEGO, SAML, OIDC and even custom TAIs are supported, but there are restrictions: some URLs need to continue to support basic auth or anonymous access and asserted group memberships will be ignored).

If your scenario is that some remote ICN was reconfigured to require SPNEGO authentication, this may have an impact on code running in BAW trying to connect to ICN. I am not aware of any testing or documentation for this scenario. I think the default set assumes SSO between BAW and remote ICN / CPE systems by exchanging LTPA keys.

------------------------------
Jens Engelke
------------------------------

Original Message:
Sent: Fri September 16, 2022 10:25 AM
From: Steve Lonmo
Subject: BAW support for SSO through Kerberos SPNEGO

Hi,

I've set up SSO on Content Navigator on WebSphere via kerberos and SPNEGO. Doing a Google search for "business automation workflow case kerberos authentication" I see a web page for BAW entitled

"Configuring IBM Business Automation Workflow to support SSO through Kerberos SPNEGO"

 Which describes how to set up the Case Configuration tool to cater for this SSO method as well.

I'm not sure if this is necessary to call BAW plugins from ICN. But if something in BAW is required to be done, the page applies to BAW version 19.x only. There is no equivalent page for 20.x or 22.x

Can anyone say what happened after 19.x.

Is BAW SSO via Content Navigator handled differently ? Is it unnecessary to do any extra configuration other than the ICN config?

I hope this request makes sense.

Any knowledge appreciated.

Many thanks.

------------------------------
Steve Lonmo
------------------------------

Thanks for the reply Jens

Yes, on an ordinary non-SSO scenario BAW is configured with the same LTPA key exchange with ICN as already exists between the FileNet CPE and ICN. My assumption all along was that this should not change just because SSO has been configured on the ICN. It was just that I stumbled across that piece of 19.x documentation and started to wonder.

I will look again at the documentation you referred to, but it does seem as though that is there to allow SSO to various BAW features which the customer will never use - and they can login manually if they are ever curious. Similarly, they (or we) will log into the Case Builder manually and would not need any SSO. The only reference I see to a link with Content Navigator is the configuration of a logout page, which we don't require.

I'm a little surprised that an otherwise ordinary (for us anyway,  as a Case Manager / FileNet support partner) configuration of CPE<->ICN<->BAW/Case configuration that happens to have SSO on the ICN might be a scenario that IBM didn't test? 

I might raise a PMR or something to confirm.

But many thanks again for your reply.

------------------------------
Steve Lonmo
------------------------------

Original Message:
Sent: Mon September 19, 2022 02:15 AM
From: Jens Engelke
Subject: BAW support for SSO through Kerberos SPNEGO

If I remember correctly, at the time when IBM Case Manager and IBM Business Process Manager were merged to become IBM Business Automation Workflow, some parts of documentation were copied without full validation.
The chapter about configuring SPNEGO used to describe required configuration for the IBM Case Manager product when running on its own WebSphere or FileNet's WebSphere cell.
Today, when the Case Management apps are deployed to an IBM BAW cell, only https://www.ibm.com/docs/en/baw/20.x?topic=environment-configuring-third-party-authentication-products applies. It describes how to customize authentication for accessing BAW (including the Case Manager apps): Standard WAS customizations (for SPNEGO, SAML, OIDC and even custom TAIs are supported, but there are restrictions: some URLs need to continue to support basic auth or anonymous access and asserted group memberships will be ignored).

If your scenario is that some remote ICN was reconfigured to require SPNEGO authentication, this may have an impact on code running in BAW trying to connect to ICN. I am not aware of any testing or documentation for this scenario. I think the default set assumes SSO between BAW and remote ICN / CPE systems by exchanging LTPA keys.

------------------------------
Jens Engelke

Original Message:
Sent: Fri September 16, 2022 10:25 AM
From: Steve Lonmo
Subject: BAW support for SSO through Kerberos SPNEGO

Hi,

I've set up SSO on Content Navigator on WebSphere via kerberos and SPNEGO. Doing a Google search for "business automation workflow case kerberos authentication" I see a web page for BAW entitled

"Configuring IBM Business Automation Workflow to support SSO through Kerberos SPNEGO"

 Which describes how to set up the Case Configuration tool to cater for this SSO method as well.

I'm not sure if this is necessary to call BAW plugins from ICN. But if something in BAW is required to be done, the page applies to BAW version 19.x only. There is no equivalent page for 20.x or 22.x

Can anyone say what happened after 19.x.

Is BAW SSO via Content Navigator handled differently ? Is it unnecessary to do any extra configuration other than the ICN config?

I hope this request makes sense.

Any knowledge appreciated.

Many thanks.

------------------------------
Steve Lonmo
------------------------------