ZSSO user manual

1. introduction

ZSSO is a web-based Single sign on system. It acts as a reverse-proxy. Which means application users cannot access your web application server directly(blocked by your router), but access to your ZSSO system, and ZSSO forward users' action to background web application server.

ZSSO support background web application server which code is writen in PHP/ASP/ASP.NET/HTML/JSP/servlet, and all web server such as Apache/IIS/Tomcat/Weblogic/Websphere.

2. SSO admin users and application users

By default, there is a admin user with sign name 'admin', and password is 'zsso'. And there is a test application user with name 'test' and password 'test'.

Background applcations should a task to periodly synchronized application users' data from ZSSO by calling webservice: http://zsso_ip:8091/zsso/SsoWebservice?wsdl
And the web service relative info is:

@WebService(targetNamespace = "http://www.zhegui.biz/webservice")
@SOAPBinding(style = SOAPBinding.Style.RPC)
@WebMethod public String getAllUsersInXmlFormat()

3. SSO applications

It's easy to integrate applications with ZSSO.

3.1 add a new application

under menu: master data -> sso background application system.

3.2 add application users

under menu: master data -> sso background application user.

3.3 authorize user to application

under menu: authority -> sso application and user relationship

And now user can access that application.

4. authority

ZSSO has different authority ways:

4.1 no need sign in, no SSO authority

In this case, ZSSO only acts as reverse-proxy and just forward your web activity to background application server. You can still use access log and trend chart.

4.2 need sign in, no SSO URL-based authority

this is the most widely used way that Single Sign-On works. SSO checks application user's password, block unsigned user from access background web applications.
And user access control is done by background web application.

4.3 need sign in, use SSO URL-based authority

This is the significant improvement by ZSSO according to general Single Sign-on. ZSSO has URL-based authority, which means you don't need to develop your own authority for each web application when integrating with ZSSO.

following these steps to use ZSSO URL-based authority:

4.3.1 change application definition

under under menu: master data -> sso background application system, change your application definition, make sure "Use SSO authority"/"Need sign in" are both enabled.

4.3.2 create a "Authority point"

under menu: authority -> Authority point. "Authority point" means a set of URLs, stand for a set of functional modules.

4.3.3 asign application user to "Authority point"

under menu: authority -> User with Authority point.

4.3.4 you need also do the task metions at item 3.3

And now the URL-based authority works.

5. change background application code to get sso user sign name

Java/Servlet code sample:

String userSignInNm = request.getHeader("iv-user");

String userMail = request.getHeader("iv-user-mail");

String userIp = request.getHeader("iv-remote-address");

String userSessionKeyInSSO = request.getHeader("iv-sso-client-uuid");

ASP.NET code sample:
String userSignInNm = Request.Headers["iv-user"];String userMail = Request.Headers["iv-user-mail"];String userIp = Request.Headers["iv-remote-address"];String userSessionKeyInSSO = Request.Headers["iv-sso-client-uuid"];

PHP code sample:
$userSignInNm = $_SERVER['HTTP_IV_USER"]; $userMail = $_SERVER['HTTP_IV_USER_MAIL"]; $userIp = $_SERVER['HTTP_IV_REMOTE_ADDRESS"]; $userSessionKeyInSSO = $_SERVER['HTTP_IV_SSO_CLIENT_UUID"];

6. replace absolute path URL to relative URL

web applications that has no absolute URL will not find any problem when integrating with ZSSO.

Anyway, some web applications has hard-coded absolute URL. When make such application integrating with ZSSO, we need define rules for URL replacing.

7. access statistics and reports

ZSSO has native access log/access log statistics/trend.

which means you can know who/when/doing what.