Global Directory
Global Directory
EXPLORE OUR SITES
London Stock Exchange Group
LSEG Data & Analytics
MyAccount
LSEG Perspectives
London Stock Exchange
FTSE Russell
LCH
Contact Us
Home
TR Internal
Single Sign-On from one MAF Product to another
Dave Hallam
Is there an existing mechanism within the MAF Framework that would allow a user who has subscriptions for 2 MAF products, e.g. Westlaw Ireland and Westlaw UK, to seamlessly authenticate across the two products? i.e. a user who can independently log in to each product only having to log in to one of them.
I know that for Westlaw International, there is a service in place to pass the encrypted credentials from WLUK to Westlaw International to log the user in seamlessly. Does something similar exist for WLUK or any other MAF products? Or some other mechanism?
Many thanks in advance.
Find more posts tagged with
authentication
refinitiv-internal
Accepted answers
Emiliano Claria
If both products are sharing the authentication domain in Prism and the user has the same guid in them, then regular PrismSSO could be used.
If the userGuid is different in both products I think this falls under the use cases for [OnePass][1], which is already implemented in MAF but I'm not sure that there are any applications in production that are using it.
EDIT (Just in case you find this useful)
To use PrismSSO in MAF you need to configure two things (both in Spring configuration):
- CreatePrismSsoTokenHadler as a PostAuthenticationHandler. This will create an Sso token after the user logs in.
- AuthenticationStrategySSO as an AuthenticationStrategy (maybe you'll need to use AuthenticationStrategySelector).
After that, you just need to point the user to the signon page with the token parameter that gets populated in the session, e.g.
http://westlawireland.com/maf/app/authentication/signon?{tokenParameter}={tokenInSession}**[**&redirect={targetPage}**]**
[1]:
http://nsawiki.int.westgroup.com/wiki/index.php/MAF/OnePass
All comments
Emiliano Claria
If both products are sharing the authentication domain in Prism and the user has the same guid in them, then regular PrismSSO could be used.
If the userGuid is different in both products I think this falls under the use cases for [OnePass][1], which is already implemented in MAF but I'm not sure that there are any applications in production that are using it.
EDIT (Just in case you find this useful)
To use PrismSSO in MAF you need to configure two things (both in Spring configuration):
- CreatePrismSsoTokenHadler as a PostAuthenticationHandler. This will create an Sso token after the user logs in.
- AuthenticationStrategySSO as an AuthenticationStrategy (maybe you'll need to use AuthenticationStrategySelector).
After that, you just need to point the user to the signon page with the token parameter that gets populated in the session, e.g.
http://westlawireland.com/maf/app/authentication/signon?{tokenParameter}={tokenInSession}**[**&redirect={targetPage}**]**
[1]:
http://nsawiki.int.westgroup.com/wiki/index.php/MAF/OnePass
Dave Hallam
Thanks Emiliano. Where can I find out more about PrismSSO?
Ferraz
David, there's plenty of info here:
http://nsawiki.int.westgroup.com/wiki/index.php/Prism_SAML_SSO
unknown
Just an FYI for those that don't know. MAF is moving to use OnePass for its authentication. This will be a migration, but once it is complete, the OnePass system has functionality to seamlessly move between all Onepass products, as long as a user is registered for that product.
The first products that will be starting to use OnePass are Westlaw AU and Westlaw NZ.
For more information about OnePass, see our location on [The Hub][1].
[1]:
https://thehub.thomsonreuters.com/groups/onepass
Gerry King
Hmmm, the Wiki is not very clear...
Ignore WL Scandanvia - they have their own external authentication service.
At present WLUK uses the AuthenticationStrategySelector which configures a list of strategies to try first (in list order)
and then a default
China, LaLey and ANZ use the AuthenticationStrategyMultipleSelector which configure the list of strategies in a different way.
I suspect that you want WLUK to add AuthenticationStrategySSO to the end of the list of strategies it supports add the necessary config to add "CreatePrismSsoTokenHandler as a PostAuthenticationHandler" as Emiliano suggests (see AlertCtr).
When I say 'you' I guess WLUK need to make the change. I'd ask Andy Halford to do it. He handles the UK academic SSO's and is based in Yorkshire.
This was supposed to be a comment on Emiliano's answer, but it is too long to be a comment...
Quick Links
All Forums
Recent Questions
Terms of use
Privacy & Cookie Statement
Cookies settings
Do not sell my info
Whistleblowing
UK Bribery Act
Modern Slavery Act