LDN - Luminis Developer Network

We have successfully integrated in SSO (Single Sign on) with our new Exchange 2007 server. Doing this requires some modification to the examples provided by Sungard, as only Exchange 2003 is "officially" supported.

Doing so requires modifying 2 files, as well as making some changes with the LDAP frontend utility - configman. Also, be sure that your "entry page" into Exchange 2003 is using form based authentication. The meaning was confusing to us at first, so we did some research. It turns out that Exchange 200* supports form based, or the alternative htdigest authentication - something done at the web server level. If you are taken to a page where you have a "username", "password" field, and submit button, this is form based. If you are prompted with a popup box (and you can't view the source), you are using htdigest, and SSO into Exchange cannot be used without changes outside of Luminis.

The snippet below outlines the changes that we made to the mowa.properties file:

mowa.externalSystemName     = mowa

mowa.protocol               = https
mowa.hostname               = oi
mowa.domain                 = .clayton.edu
mowa.port                   = 443

mowa.externalSystemHttpBase = ${mowa.protocol}://${mowa.hostname}${mowa.domain}:${mowa.port}
mowa.externalSystemURL      = ${mowa.externalSystemHttpBase}/owa
mowa.loginUrl               = ${mowa.externalSystemHttpBase}/owa/auth/owaauth.dll

mowa.coursemap.enabled     = false
mowa.operations            = ${SSOROOT}/config/mowa.xml


mowa.pickup.response        = \
     <html><head><title>MOWA Integration</title> </head>
	 <body onload="javascript:document.newwinform.submit()">
	 <img src="http://lumtest.clayton.edu/custom/csu/images/indicator_verybig.gif" />
	 <form action="${mowa.loginUrl}" method="post" name="newwinform"> 
	 <input type="hidden" name="username" value="~{_USERNAME}"> 
	 <input type="hidden" name="password" value="~{_PASSWORD}"> 
	 <input type="hidden" name="destination" value="${mowa.externalSystemURL}"> 
	 <input type="hidden" name="flags" value="0"> 
	 <input type="hidden" name="isUtf8" value="Log+On"> 
	 <input type="hidden" name="trusted" value="0">
	 <input type="hidden" id="chkBsc" value="off">
	 </form></body></html>

Specifically, pay attention to the "mowa.externalSystemURL", and "mowa.loginUrl" variables, as these have been changed since Exchange 2003. We also have completely rewritten the "mowa.pickup.response" value. We now point to "owa" as the directory suffixed to our location, instead of "exchweb". This change is reflected in the SystemURL as well. For additional explaination (no matter how terse), take a gander at pgs. 5.64 in the "Luminis platform installation guide" documentation (Version F). Also, note that we have added an image to the form in the "mowa.pickup.response" variable. This is just a spinner to indicate that the page is loading. Don't worry too much about it.

After we have updated this file, close and save it, then make the following changes with configman:

1. add "mowa" to es.systems
2. change mowa.host to reflect the same value as "mowa.hostname" + "mowa.domain" above (oi.clayton.edu)

Next, lets add "mowa.properties" to the cpipconnector.properties file so CPIP knows that MOWA is in use. To do this change the following value to the variable below:

property.files=mowa.properties

(we had other values set to this property.files - which is fine, just separate them with commas)

To apply these changes, you must summon the infamous "stopcp ; startcp"

Ok, if you are working ahead of this document, you might be dissappointed to discover that MOWA still isn't working properly. This is because we have to grant which users have access to MOWA, as well as import the external system's credentials into the Luminis "secret store" (or LDAP).

Instead of assigning permissions directly to users, we will assign the permission to a group, then assign the user(s) using MOWA to that group. For our purposes, we created 1 new group: "owaemp" and granted the permissions "Mowa, and MOWA_SSO" (apparently the capitalization isn't important). This can be done inside of Luminis, as an admin user by clicking on the "Admin" button. Take a few minutes to familiarize yourself with this interface if you haven't already done so - it can be quite frustrating for first time users to get the hang of.

Ok, now MOWA is enabled, the permissions are set - but wait, how does Luminis know what the user's Exchange 2007 username and password is? At the moment, we do not have Active Directory validation working, so we hard coded in the username/password information in a file in the following format:

<PROPERTY name="ExternalAccount">mowa|bsimpson|password</PROPERTY>

This file will now be imported into Luminis using the following command:

cptool import file <filename>

Because it uses "bsimpson" to both login to MOWA and check Luminis for system permissions, it is important that the two sources both use the same username convention.

One last snag - when I logged in as "bsimpson" and click on the portal's email, the default email launched instead of logging me into MOWA. After kicking some things around my desk for a time, I found that changing the configuration variable "mua.override.mowa" to "mowa" changed the email icon universally in the system. Less than ideal, but this will get you through the metaphorical "hello world" of MOWA SSO.

If you have any problems and would like to see a log on the authentication, check the file "$CP_ROOT/logs/session.log". The information may or may not be useful in your troubleshooting.

Good luck!