Re: Single Signon with OTM

Arham,

OTM has supported SSO since v3.0 (or earlier) and was one of the requirements of one of our early LARGE clients. While I don't believe there is any documentation for this, the configuration is simple.

First - it was developed around Netegrity, but works with any Reverse Proxy-based SSO solution. When it's configured, OTM delegates all authorization responsibilities to the SSO framework. If an OTM username is passed to OTM via the http header or URL, then that use is automatically logged-in, without verifying the password. This allows you to keep a single password repository, but requires that you protect OTM from malicious users and filter the http-headers and URLs.

To configure, just enable the following properties in the OTM glog.properties file, where "appuid" is the variable you'll use to send in the OTM username: You may also need to enable the reverse-proxy in OTM in order to work within your SSO framework. This is accomplished via the following properties in the glog.properties file, where "/urlprefix" is the URL Prefix that your reverse-proxy server utilizes in order to identify the OTM web server: You will also need to edit the <otm_home>/apache/htdocs/index.html file and update the URL listed below to include this URL Prefix.

Finally, keep in mind that once you setup OTM to be accessible via a reverse-proxy, you won't be able to connect to it directly, since the URL Prefixes won't get stripped out and will thus be invalid for your browser.

I've set this up in the lab and for a few clients while I was at G-Log, and it works well.

Hope this helps!

--Chris