Exchange integration into WebSphere Portal (SSO – Kerberos)
During the last years working with Portal I had several challenges with WebSphere Portals HTTP Outbound Proxy (aka. Ajax Proxy) in terms of authenticating backend calls to various other systems.
What we`ve done so far in terms of SSO / backend authentication:
– Authenticating using LTPAToken
– Authenticating using SAML
– Authenticating using SPNEGO / Kerberos (this was a new one for me)
The challenge this time was to introduce Exchange mailboxes / calendar data into portal. There is no out of the box integration (well some really old portlets that are more or less unusable) so we decided to write our own portlets using independent soft (JWEBSERVICES) API that provides access capabilities to EWS.
The problem was „how to authenticate users towards Exchange“?
The solution: Kerberos and HTTP outbound proxy… The approach is similar what IBM Connections Mail integration uses when integrating Exchange backends. Michele Buccarello wrote a great guide “IBM Connections Mail Plugin Configuration with Exchange Backend”. Thanks also to Michele who was a great help when dealing with Kerberos delegation.
So how does it work?
A user logins to portal using Kerberos. The Kerberos token is granted. If you now access Exchange Web Service (using the services file in order to describe the contact between client and server), you can use the Outbound Proxy URL for testing:
Through delegation of Kerberos Tokens, the Outbound Proxy uses the Token from the current session and sends it to Exchange which logs in the user.
So how did I realize this?
1. Enabled Kerberos on Exchange side (will not be described here)
2. Enabled SPNEGO and Kerberos on Portal side
3. Enabled Token delegation for the portal SPN User
4. configured HTTP Outbound Proxy to loop through the Kerberos token
<?xml version="1.0" encoding="UTF-8"?> <proxy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.ibm.com/xmlns/prod/sw/http/outbound/proxy-config/2.0"> <mapping contextpath="/myproxy" url="*"> <policy url="https://exchange.server.com/*" basic-auth-support="true"> <actions> <method>GET</method> <method>POST</method> </actions> <meta-data> <name>hpaa.authtype</name> <value>spnego</value> </meta-data> </policy> </mapping> </proxy-rules>
You then need to activate the policy using the CE task:
./ConfigEngine.sh update-outbound-http-connection-config -DConfigFileName=/ibm/install/proxy_rules/spnego_proxy.xml
After restarting the server the result looks like this
Pretty cool 😉 A custom Exchange Portlets that looks nice and offers a great preview of mails and calendar entries.