Purpose

This document describes the installation of the Avoka Single Sign On solution for Adobe LiveCycle ES Workspace. Please refer to our website http://www.avoka.com/avoka/single_signon.shtml for product description.

Installation

The installation requires knowledge and preparation of your Active Directory environment, along with the installation to your LiveCycle server.

Preparing your Active Directory Environment

Requirements

• Name or IP address of the domain controller
• Name of your AD domain
• Share name. A file share needs to be created on your domain controller. This file share should be given read access to everyone logging into workspace. This may be the everyone security group, or a security group containing only the Adobe LiveCycle users.
  • On the domain controller, create a folder AvokaSSO. Share the folder with the everyone group having read access. Set the security tab, everyone group has read access.
    
    

• Username and Password for authentication with Active Directory. We recommend that you use the same user credentials that was used in the LiveCycle to synchronize users with Active Directory.
• Adobe Domain (mapping) Name. This was assigned in the Domain Management section of the Adminui. It is the value in the id column (ref to the picture below).
  

• The LiveCycle server needs to be a member of the domain. This is required for domain clients (windows pc) that are logging into workspace using Internet Explorer, to automatically pass the NTLM credentials to the Adobe LiveCycle server.

Single Sign On Components

The Avoka Single Sign On solution requires a modified adobe-livecycle-<appserver>.ear/adobe-workspace-runtime.war - This WAR file service requests between Workspace flex client and the LiveCycle server. It also responsible for authenticating the client.

The installation contain: avoka-workspace-sso.jar, avoka8utils.jar, jcifs-1.2.18.jar and a modification to web.xml. You are required to edit web.xml to suit your AD environment.

Please download the latest version of Avoka Single Sign On from http://www.avoka.com/avoka/single_signon.shtml

LiveCycle Server Installation steps:

1. Unzip the downloaded AvokaWorkspaceSSO_NTLM_x.x.zip into a folder in your hard drive.
2. The unzipped folder contains a config\WEB-INF\web.xml. Edit this file to make the property settings appropriate for your environment.
   • domainController
   • logonShare
   • domain
   • username
   • password
3. Do either one of the followings:
   1. Provided that you have 7zip program installed (Note: 7-zip can be downloaded here http://www.7-zip.org/), do these:
      • The unzipped folder contains a batch file, called build.bat. Edit the first few lines so that it points to your server deploy directory and specify the directory for the 7zip tool, and save it.
      • Run the build.bat and it should create a deploy folder containing the updated livecycle.ear file ready to be deploy to your application server. Remember to undeploy the previous one before the redeployment.
   2. Alternatively, if you are very brave you can manually edit the livecyle.ear to inject in new files to it.
      • Undeploy adobe-livecycle-<appserver>.ear. Browse the content of this EAR file to locate adobe-workspace-runtime.war. Browse the content of this WAR file, under WEB-INF overwrite the existing web.xml with one edited under config/WEB-INF/web.xml; and finally copy avoka-workspace-sso.jar , avoka8utils.jar and jcifs-1.2.18.jar found on config/WEB-INF/lib into WEB-INF/lib. Make sure that your WAR file is propertly modified and saved, and in turn the outer EAR file is also modified and saved reflecting all the changes you just made and added. Redeploy this modified adobe-livecycle-<appserver>.ear.
4. Restart application server.

Configuring Avoka License

Without a valid license key, the Single Sign On solution will operate for up to 100 logins or 6 hours, after which LiveCycle will need to be restarted. This allows the solution to be used for evaluation and development purposes. Production licenses can be purchased online directly from this web site or by contacting your local Avoka Sales representative.
The license key and license organization need to be inserted in the web.xml. This requires redeployment as per the steps above.
If an invalid license key has been entered or

Configuring IE and Firefox

As described above a Windows PC that is a member of a domain will automatically pass the NTLM credentials to a server that is a member of the domain.

By default Firefox does not trust any server and will not pass on the NTLM credentials to any server. This mean any web apps that are running in firefox will pop up a credential dialog box every time the user connects to the server.

Firefox can be changed to trust server(s) by by the setting below:

• In the address bar in Firefox, type "about:config"
• This will show all the settings for Firefox. In this list find this key "network.automatic-ntlm-auth.trusted-uris." This is a comma-delimited list of all host names that you want to use NTLM with.
• Just enter your host names like this: "adobeServer, anotherServer".
• If you add an item like ".yourDomain.local" to these config lists, it will do catch all NTLM auto-auth. This is important if there are several internal servers and I you don't want to list them all.

Known Issues

• Does not support multiple LDAP Domains.
• Logging out of Workspace automatically logs you back in.
• If this solution is to be installed along with other LiveCycle ES Workspace products such as the Workspace Enquiry Tool, the web.xml may required to merged. Please contact Avoka (support@avoka.com) for assistance.

Future Enhancements

Support for multiple active directory domains