Skip to Main Content
ARIS - SHARE YOUR IDEAS
How can we make ARIS better?
Status Open for voting
Created by Guest
Created on Mar 13, 2022

Second Tenant Cannot Use Different Active Directory for Kerberos based SSO

Under the advice that an ARIS tenant is defined as:
“A “tenant” is a client organization sharing utilization of a single software instance on a server with other tenants having dedicated separated ant data and utilizing the provided standard or limited customized virtual application instance. A multi-tenant system is a software architecture where a single instance of the Software runs on a server serving multiple client organizations and/or multiple departmental organizations within one client (tenants). With a multi-tenant architecture, the software application is designed virtually to partition its data and configuration and each client organization works with a standard or very limited customized virtual application instance. A single – tenant system is a software architecture where the tenant is provided with a single and dedicated instance of the Software with full configurability of the Software, own database, enhanced security and an individual or segregated virtual server installation (with security controls).”

DHS have tried to enable SSO via Kerberos ( see Support Incident: 5368801 Kerberos SSO stops working after login in other tenant) is there a way to enable multiple tenants (e.g. Default, New tenant) to have SSO working while talking to 2 Active Directory realms, e.g. different KDC, Realm?

is there a patch/fix/version upgrade that would enable it to work?

Here is the text from their support incident:

DHS have configured Kerberos SSO on 2 tenants (default and .

They use a different KDC, Realm, Prinicipal, key table and configuration file.

We are able to login SSO to the default tenant after an ACC startall. e.g. http://:8080/umc/?tenant=default
However, after logging into the other tenant (e.g. newTenant, eg http://:8080/umc/?tenant= ), the Kerberos SSO stops working on the default tenant.

Please find attached partial log from ARIS\server\bin\work\work_umcadmin_l\base\logs\umc.txt with Kerberos debug ticked.

1. User logs into default tenant UMC via SSO - works
2. User opens the url, Kerberos gives an error as the user is not in in newTenant.
3. User logs into the as system user -works
4. Log out of
5. User tries to log into the default tenant umc via SSO - fails
6. User tries to log into the default tenant umc via username and password- works

Resolution - Solution Provided

Type :
Configuration


That are pre-requisites for Kerberos LDAP:

• UMC authenticates against LDAP
• User has a valid AD account and exists in UMC
• A service principal name (SPN) for ARIS server is registered in AD
• Client machine is bound to same AD as UMC
• Web browser supports Kerberos-based user authentication (IE, Chrome, FF, Safari)
• Web browser is configured properly

Both tenants need to be connected to the same AD and this is not fulfilled in your scenario.


Brainstorm ID 7165
Created on Brainstorm 07/18/2019 05:22 PM
  • +1