com.crystaldecisions.sdk.plugin.authentication.secwinad
Interface IsecWinADBase

All Known Subinterfaces:

IsecWinAD

public interface IsecWinADBase

This interface provides properties that map Active Directory (AD) principals (users or groups) to SAP BusinessObjects Enterprise, and it also supports both AD and Kerberos single sign-on (SSO) authentication.

The Kerberos protocol is a component of Windows AD that provides mutual authentication between the client and server. If trusted communication is established between two parties, the Key Distribution Center (KDC) grants the principal a session ticket (security context). This session ticket grants SSO access to all applications and services that are integrated with Windows AD.

Field Summary

static java.lang.String

PROGID The ProgID for the secWinAD Class.

Method Summary

java.lang.String	getAdminName() Returns an Active Directory user account in the following format DOMAIN\ACCOUNTNAME.
int	getAttributeBindingPriority() Returns the plugin's priority to bind user attributes to external source.
int	getAvailability() Returns the state of Windows Active Directory (AD) authentication: unloaded (-1), enabled (0), or disabled (1).
java.lang.String	getDefaultDomain() Returns the default Active Directory (AD) domain used to authenticate users and map groups.
java.lang.String	getDefaultUserLicenseRestrictionCUID() Sets the default License Restriction for newly created users.
java.lang.String	getMappedGroups() Returns a semicolon-separated string of Active Directory UserGroupAlias instance IDs (SIDs).
java.lang.String	getServicePrincipalName() Returns the service principal name (SPN).
int	getSSOAccessMode() Returns the Policy Server access mode for single sign-on authentication.
java.lang.String	getSSOAgent() Returns the single sign-on (SSO) agent used with siteMinder.
java.lang.String	getSSOServersAndPorts() Returns the host name and the three port numbers for the Policy Server(s).
int	getSSOVendor() Returns the third-party vendor that is used for single sign-on authentication.
boolean	isAliasAutoAdd() Returns a boolean that indicates whether to add a secWinAD alias to an existing SAP BusinessObjects Enterprise user.
boolean	isAttributeBindingEnabled() Returns a boolean to indicate whether the attribute binding is enabled.
boolean	isCacheSecurityContext() Returns a boolean that indicates whether the security context (session ticket) for Kerberos authentication is stored in the server�s cache.
boolean	isCreateNamedUsers() Returns a boolean that indicates whether new users are created as named or concurrent.
boolean	isImportUsers() Returns a boolean that indicates whether user aliases should be imported when mapping Active Directory (AD) groups.
boolean	isKerberosEnabled() Returns a boolean that indicates whether Kerberos single sign-on (SSO) authentication is enabled.
boolean	isSSOEnabled() Returns a boolean that indicates whether single sign-on authentication (SSO) is enabled.
void	setAdminName(java.lang.String value) Sets an Active Directory user account in the following format DOMAIN\ACCOUNTNAME.
void	setAdminPassword(java.lang.String value) Sets the Active Directory administrator password.
void	setAliasAutoAdd(boolean value) Sets a boolean that indicates whether to add a secWinAD alias to an existing SAP BusinessObjects Enterprise user.
void	setAttributeBindingEnabled(boolean isEnabled) Enables or diables the attribute binding.
void	setAttributeBindingPriority(int value) Sets the plugin's priority to bind user attributes to external source.
void	setAvailability(int value) Sets the state of Windows Active Directory (AD) authentication: unloaded (-1), enabled (0), or disabled (1).
void	setCacheSecurityContext(boolean value) Sets a boolean that indicates whether the security context (session ticket) for Kerberos authentication is stored in the server�s cache.
void	setCreateNamedUsers(boolean value) Sets a boolean that indicates whether new users are created as named or concurrent.
void	setDefaultDomain(java.lang.String value) Sets the default Active Directory (AD) domain used to authenticate users and map groups.
void	setDefaultUserLicenseRestrictionCUID(java.lang.String restrictionCuid) Sets the default License Restriction for newly created users.
void	setImportUsers(boolean value) Sets a boolean that indicates whether user aliases should be imported when mapping Active Directory (AD) groups.
void	setKerberosEnabled(boolean value) Sets a boolean that indicates whether Kerberos single sign-on (SSO) authentication is enabled.
void	setMappingGroups(java.lang.String value) Sets a semicolon-separated string of Active Directory UserGroupAlias instance IDs (SIDs).
void	setServicePrincipalName(java.lang.String name) Sets the service principal name (SPN).
void	setSSOAccessMode(int value) Sets the Policy Server access mode for single sign-on authentication.
void	setSSOAgent(java.lang.String value) Sets the single sign-on (SSO) agent used with siteMinder.
void	setSSOEnabled(boolean value) Sets a boolean that indicates whether single sign-on authentication (SSO) is enabled.
void	setSSOServersAndPorts(java.lang.String value) Sets the host name and the three port numbers for the Policy Server(s).
void	setSSOSharedSecret(java.lang.String value) Sets the shared secret used for single sign-on (SSO) authentication.
void	setSSOVendor(int value) Sets the third-party vendor that is used for single sign-on authentication.

Field Detail

PROGID

static final java.lang.String PROGID

The ProgID for the secWinAD Class.

ProgID	CrystalEnterprise.SEC_WINAD
Query Category	CI_SYSTEMOBJECTS
Associated Interface	com.crystaldecisions.sdk.plugin.authentication.secwinad.IsecWinAD

Query syntax:

SELECT
	SI_AVAIL, SI_DEFAULT_DOMAIN, SI_MAPPED_GROUPS, SI_ALIAS_AUTOADD, SI_IMPORT_USERS, SI_CREATE_NAMEDUSERS, SI_SSO_ENABLED, SI_KERBEROS_ENABLED, SI_CACHE_SECCONTEXT, SI_SERVER_SSPI_SPN
FROM
	CI_SYSTEMOBJECTS
WHERE
	SI_NAME='secWinAD'

Authentication plugins are static and non-creatable. This means that only the plugin itself exists and no instances. As there is only one secWinAD object, and not multiple versions with the same ProgID, the CrystalEnterprise.SEC_WINAD plugin must be retrieved using the SI_NAME property.

The CePropertyIDs named in the SELECT statement are those that are required to access data through the IsecWinAD interface. For more information on their associations with the interface's methods, see IsecWinAD

See Also:

Constant Field Values

Method Detail

getAvailability

int getAvailability()
                    throws SDKException

Returns the state of Windows Active Directory (AD) authentication: unloaded (-1), enabled (0), or disabled (1).

This property can be set to -1, 0, or 1. The default value for this property is 0.

• A value of -1 means unload. The Active Directory plugin is unloaded and all Active Directory alias information is removed. Unloading this plugin causes users and groups mapped to Active Directory to be deleted if the secWinAD alias is the only alias these instances have.
• A value of 0 means disabled. This means that Active Directory authentication is not available. Previously mapped groups and imported users are displayed, but Active Directory aliases are not included in rights aggregation.
• A value of 1 means enabled. Active Directory authentication is available. Active Directory aliases are included in rights aggregation.

Returns:

An int that identifies the state of AD authentication.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_AVAIL

setAvailability

void setAvailability(int value)

Sets the state of Windows Active Directory (AD) authentication: unloaded (-1), enabled (0), or disabled (1).

This property can be set to -1, 0, or 1. The default value for this property is 0.

• A value of -1 means unload. The Active Directory plugin is unloaded and all Active Directory alias information is removed. Unloading this plugin causes users and groups mapped to Active Directory to be deleted if the secWinAD alias is the only alias these instances have.
• A value of 0 means disabled. This means that Active Directory authentication is not available. Previously mapped groups and imported users are displayed, but Active Directory aliases are not included in rights aggregation.
• A value of 1 means enabled. Active Directory authentication is available. Active Directory aliases are included in rights aggregation.

Parameters:

value - An int that specifies the state of AD authentication.

getDefaultDomain

java.lang.String getDefaultDomain()
                                  throws SDKException

Returns the default Active Directory (AD) domain used to authenticate users and map groups.

This property is used to locate a user or a group when only its name, and not its Active Directory name, is specified during logon. For example, if the default domain is set to �TestDomain�, then a user who logs on as �jdoe�, is logged on as �TestDomain\jdoe�.

The DefaultDomain property is also used when mapping Active Directory groups to UserGroups. If you do not specify a domain name when you add a third party group alias to a UserGroup instance the domain specified by this property is assumed.

Returns:

A String that identifies the default domain.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_DEFAULT_DOMAIN

setDefaultDomain

void setDefaultDomain(java.lang.String value)

Sets the default Active Directory (AD) domain used to authenticate users and map groups.

This property is used to locate a user or a group when only its name, and not its Active Directory name, is specified during logon. For example, if the default domain is set to �TestDomain�, then a user who logs on as �jdoe�, is logged on as �TestDomain\jdoe�.

The DefaultDomain property is also used when mapping Active Directory groups to UserGroups. If you do not specify a domain name when you add a third party group alias to a UserGroup instance the domain specified by this property is assumed.

Parameters:

value - A String that specifies the default domain.

getMappedGroups

java.lang.String getMappedGroups()
                                 throws SDKException

Returns a semicolon-separated string of Active Directory UserGroupAlias instance IDs (SIDs).

When an Active Directory group SID is added to the list of mapped groups, all global user accounts in the group are mapped to Enterprise user accounts as follows:

• If the isAliasAutoAdd method returns true, user account names that already exist in SAP BusinessObjects Enterprise are mapped by adding a secWinAD alias to the associated. User instance.
• If the isAliasAutoAdd method returns false, an Enterprise user account with a secWinAD alias is created for every global user account in the mapped group.

If the mapped Active Directory group contains other groups, the nested groups are not mapped, but the global user accounts they contain are mapped.

Returns:

A String that identifies the mapped groups.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_MAPPED_GROUPS

setMappingGroups

void setMappingGroups(java.lang.String value)

Sets a semicolon-separated string of Active Directory UserGroupAlias instance IDs (SIDs).

When an Active Directory group SID is added to the list of mapped groups, all global user accounts in the group are mapped to Enterprise user accounts as follows:

• If the isAliasAutoAdd method returns true, user account names that already exist in SAP BusinessObjects Enterprise are mapped by adding a secWinAD alias to the associated. User instance.
• If the isAliasAutoAdd method returns false, an Enterprise user account with a secWinAD alias is created for every global user account in the mapped group.

If the mapped Active Directory group contains other groups, the nested groups are not mapped, but the global user accounts they contain are mapped.

Parameters:

value - A String that specifies the mapped groups.

getAdminName

java.lang.String getAdminName()
                              throws SDKException

Returns an Active Directory user account in the following format DOMAIN\ACCOUNTNAME.

To authenticate users and map user groups, the secWinAD plugin must query and view global catalogs. Therefore, AdminName must be a global user account. The domain of the user account is not optional. You must specify a correct domain name to successfully map Active Directory user groups to SAP BusinessObjects Enterprise.

Returns:

A String that identifies the administrator name.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_APS_ADMIN_DN

setAdminName

void setAdminName(java.lang.String value)

Sets an Active Directory user account in the following format DOMAIN\ACCOUNTNAME.

To authenticate users and map user groups, the secWinAD plugin must query and view global catalogs. Therefore, AdminName must be a global user account. The domain of the user account is not optional. You must specify a correct domain name to successfully map Active Directory user groups to SAP BusinessObjects Enterprise.

Parameters:

value - A String that specifies the administrator name.

setAdminPassword

void setAdminPassword(java.lang.String value)
                      throws SDKException

Sets the Active Directory administrator password.

Parameters:

value - A String that specifies the password.

Throws:

SDKException - This is thrown if the process is unsuccessful.

isAliasAutoAdd

boolean isAliasAutoAdd()
                       throws SDKException

Returns a boolean that indicates whether to add a secWinAD alias to an existing SAP BusinessObjects Enterprise user.

Returns:

true if the third-party alias is assigned to an existing user. A new user instance is created for users who do not have an existing Enterprise account. false if a new user instance is created for all users in the third-party group that are mapped to SAP BusinessObjects Enterprise.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_ALIAS_AUTOADD

setAliasAutoAdd

void setAliasAutoAdd(boolean value)

Sets a boolean that indicates whether to add a secWinAD alias to an existing SAP BusinessObjects Enterprise user.

If this property is set to true, a secWinAD alias is assigned to the existing SAP BusinessObjects Enterprise user account. However, the user accounts for SAP BusinessObjects Enterprise and Active Directory (AD) must be identified by the same name and user credentials.
Note: If the mapped Active Directory (AD) user does not have an associated SAP BusinessObjects Enterprise account (with the same name) and this property is set to true, then a new SAP BusinessObjects Enterprise user account will be created for this user

If this property is set to false, a new user account with an associated secWinAD alias will be created for all users in the AD group that are mapped to SAP BusinessObjects Enterprise.

Parameters:

value - A boolean that specifies whether aliases will be automatically added.

isImportUsers

boolean isImportUsers()
                      throws SDKException

Returns a boolean that indicates whether user aliases should be imported when mapping Active Directory (AD) groups.

Returns:

true if user aliases are imported when AD groups are mapped to SAP BusinessObjects Enterprise. false if user aliases are imported when users logon to SAP BusinessObjects Enterprise using AD authentication.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_IMPORT_USERS

setImportUsers

void setImportUsers(boolean value)

Sets a boolean that indicates whether user aliases should be imported when mapping Active Directory (AD) groups.

Parameters:

value - A boolean that specifies whether user aliases should be imported when mapping AD groups.

isCreateNamedUsers

boolean isCreateNamedUsers()
                           throws SDKException

Returns a boolean that indicates whether new users are created as named or concurrent.

Returns:

true if new users are created as named, and false if new users are created as concurrent.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_CREATE_NAMEDUSERS

setCreateNamedUsers

void setCreateNamedUsers(boolean value)

Sets a boolean that indicates whether new users are created as named or concurrent.

Parameters:

value - A boolean that specifies whether new users are created as named or concurrent.

isKerberosEnabled

boolean isKerberosEnabled()
                          throws SDKException

Returns a boolean that indicates whether Kerberos single sign-on (SSO) authentication is enabled.

To grant AD users Kerberos single sign-on (SSO) privileges ensure that the following steps have been completed.

• Set the setAvailability(int value) method to 1.
• Set the setKerberosEnabled(boolean value) to true.
• Set the setCacheSecurityContext(boolean value) to true.
• Set the setServicePrincipalName(String name) to the appropriate service account.

Returns:

true if Kerberos SSO authentication is enabled, and false otherwise.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_KERBEROS_ENABLED

setKerberosEnabled

void setKerberosEnabled(boolean value)

Sets a boolean that indicates whether Kerberos single sign-on (SSO) authentication is enabled.

To grant AD users Kerberos single sign-on (SSO) privileges ensure that the following steps have been completed.

• Set the setAvailability(int value) method to 1.
• Set the setKerberosEnabled(boolean value) to true.
• Set the setCacheSecurityContext(boolean value) to true.
• Set the setServicePrincipalName(String name) to the appropriate service account.

Parameters:

value - A boolean that indicates whether Kerberos SSO authentication is enabled.

isCacheSecurityContext

boolean isCacheSecurityContext()
                               throws SDKException

Returns a boolean that indicates whether the security context (session ticket) for Kerberos authentication is stored in the server�s cache.

This feature applies to the following servers:

• Central Management Server (CMS)
• Report Application Server (RAS)
• Crystal Reports Page Server
• Web Intelligence Report Server

If this method is enabled, use the setProviderContextCacheExpiry(int seconds) to set the length of time that the security context will be stored in the cache.

Returns:

true if the security context for Kerberos authentication is stored in the server's cache, and false otherwise.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_CACHE_SECCONTEXT

setCacheSecurityContext

void setCacheSecurityContext(boolean value)

Sets a boolean that indicates whether the security context (session ticket) for Kerberos authentication is stored in the server�s cache.

This feature applies to the following servers:

• Central Management Server (CMS)
• Report Application Server (RAS)
• Crystal Reports Page Server
• Web Intelligence Report Server

If this method is enabled, use the setProviderContextCacheExpiry(int seconds) to set the length of time that the security context will be stored in the cache.

Parameters:

value - A boolean that specifies whether the security context is stored in server's cache.

getServicePrincipalName

java.lang.String getServicePrincipalName()
                                         throws SDKException

Returns the service principal name (SPN).

The service principal name is associated with the principal (user or groups) and the security context (logon ticket or kerberos ticket) that the service or application uses to run a process. For SAP BusinessObjects Enterprise to accept Kerberos tickets, the SPN must be equivalent to the account used to control the SAP BusinessObjects Enterprise servers.

Returns:

A String that contains the SPN.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_SERVER_SSPI_SPN

setServicePrincipalName

void setServicePrincipalName(java.lang.String name)

Sets the service principal name (SPN).

The service principal name is associated with the principal (user or groups) and the security context (logon ticket or kerberos ticket) that the service or application uses to run a process. For SAP BusinessObjects Enterprise to accept Kerberos tickets, the SPN must be equivalent to the account used to control the SAP BusinessObjects Enterprise servers.

Note:This method sets the value for the SI_SERVER_SSPI_SPN property.

Parameters:

name - A String that specifies the SPN.

isSSOEnabled

boolean isSSOEnabled()
                     throws SDKException

Returns a boolean that indicates whether single sign-on authentication (SSO) is enabled.

Returns:

true if SSO is enabled, and false otherwise.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_SSO_ENABLED

setSSOEnabled

void setSSOEnabled(boolean value)

Sets a boolean that indicates whether single sign-on authentication (SSO) is enabled.

Set to true to enable SSO.

Parameters:

value - A boolean that indicates whether SSO is enabled.

getSSOVendor

int getSSOVendor()
                 throws SDKException

Returns the third-party vendor that is used for single sign-on authentication.

Note: The only vendor option available for this property is SiteMinder.

Returns:

An int that indicates the SSO vendor.

Throws:

SDKException - This is thrown if the process is unsuccessful.

See Also:

com.crystaldecisions.sdk.plugin.authentication.secwinad.IsecWinAD#CeSSOVendor

InfoObject properties to query for:

SI_SSO_VENDOR

setSSOVendor

void setSSOVendor(int value)
                  throws SDKException

Sets the third-party vendor that is used for single sign-on authentication.

Note: The only vendor option available for this property is SiteMinder.

Parameters:

value - An int that specifies the SSO vendor.

Throws:

SDKException - This is thrown if the process is unsuccessful.

See Also:

com.crystaldecisions.sdk.plugin.authentication.secwinad.IsecWinAD#CeSSOVendor

getSSOServersAndPorts

java.lang.String getSSOServersAndPorts()
                                       throws SDKException

Returns the host name and the three port numbers for the Policy Server(s).

The information represented in the string is formatted in the following manner: hostname:authentication port number:authorization port number:auditing port number.

For example:

testHost:44443:44442:44441

testHost:44443:44442:44441 testHost2:44443:44442:44441

Returns:

A String that identifies the host name and port numbers.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_SSO_SERVERS_AND_PORTS

setSSOServersAndPorts

void setSSOServersAndPorts(java.lang.String value)

Sets the host name and the three port numbers for the Policy Server(s).

The information represented in the string is formatted in the following manner: hostname:authentication port number:authorization port number:auditing port number.

For example:

testHost:44443:44442:44441

testHost:44443:44442:44441 testHost2:44443:44442:44441

Parameters:

value - A String that identifies the host name and port numbers.

setSSOSharedSecret

void setSSOSharedSecret(java.lang.String value)

Sets the shared secret used for single sign-on (SSO) authentication.

Parameters:

value - A String that specifies the shared secret.

getSSOAgent

java.lang.String getSSOAgent()
                             throws SDKException

Returns the single sign-on (SSO) agent used with siteMinder.

The agent communicates with the Policy Server to enforce rules for user access to protected resources.

Returns:

A String that identifies the agent.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_SSO_AGENT

setSSOAgent

void setSSOAgent(java.lang.String value)

Sets the single sign-on (SSO) agent used with siteMinder.

The agent communicates with the Policy Server to enforce rules for user access to protected resources.

Parameters:

value - A String that identifies the agent.

getSSOAccessMode

int getSSOAccessMode()
                     throws SDKException

Returns the Policy Server access mode for single sign-on authentication.

Policy server access modes:

• ceNo_SSO Indicates that no single sign-on authentication has been selected for your SAP BusinessObjects Enterprise System. This constant is equal to 0.
• ceRoundRobin Indicates that the policy server uses load balancing to manage increased requests. This constant is equal to 1.
• ceFailover Indicates that the policy server uses failover strategy to manage system failure. This constant is equal to 2.

Returns:

An int that indicates the access mode.

Throws:

SDKException - This is thrown if the process is unsuccessful.

See Also:

IsecWinAD.CeSSOAccessMode

InfoObject properties to query for:

SI_SSO_ACCESS_MODE

setSSOAccessMode

void setSSOAccessMode(int value)
                      throws SDKException

Sets the Policy Server access mode for single sign-on authentication.

Policy server access modes:

• ceNo_SSO Indicates that no single sign-on authentication has been selected for your SAP BusinessObjects Enterprise System. This constant is equal to 0.
• ceRoundRobin Indicates that the policy server uses load balancing to manage increased requests. This constant is equal to 1.
• ceFailover Indicates that the policy server uses failover strategy to manage system failure. This constant is equal to 2.

Parameters:

value - An int that specifies the access mode.

Throws:

SDKException - This is thrown if the process is unsuccessful.

See Also:

IsecWinAD.CeSSOAccessMode

isAttributeBindingEnabled

boolean isAttributeBindingEnabled()
                                  throws SDKException

Returns a boolean to indicate whether the attribute binding is enabled.

Returns:

true if the binding is enabled, false otherwise.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_ENABLE_ATTR_BINDING

setAttributeBindingEnabled

void setAttributeBindingEnabled(boolean isEnabled)

Enables or diables the attribute binding.

Parameters:

isEnabled - true to enable the binding, false to disable the binding.

getAttributeBindingPriority

int getAttributeBindingPriority()
                                throws SDKException

Returns the plugin's priority to bind user attributes to external source.

Returns:

A int that indicates the priority.

Throws:

SDKException - This is thrown if the process is unsuccessful.

InfoObject properties to query for:

SI_ATTR_BINDING_PRIORITY

setAttributeBindingPriority

void setAttributeBindingPriority(int value)

Sets the plugin's priority to bind user attributes to external source.

Parameters:

value - A int that indicates the priority.

getDefaultUserLicenseRestrictionCUID

java.lang.String getDefaultUserLicenseRestrictionCUID()

Sets the default License Restriction for newly created users.

Set to true to enable SSO.

Returns:

The CUID of the License Restriction this plugin is set to.

See Also:

CeSecurityCUID.LicenseRestriction}

InfoObject properties to query for:

SI_DEFAULT_THIRDPARTY_USER_LICENSE

setDefaultUserLicenseRestrictionCUID

void setDefaultUserLicenseRestrictionCUID(java.lang.String restrictionCuid)

Sets the default License Restriction for newly created users.

Parameters:

restrictionCuid - The CUID of the appropriate License Restriction.

See Also:

CeSecurityCUID.LicenseRestriction}