HP Fortify using Active Directory/Windows Authentication
I am trying to set up Fortify SSC to use Active directory and windows authentication for my users. I have successfully configured SSC to use LDAP to import my users and assign roles running on Tomcat 7. My issue is that we do not have passwords for our accounts. We user smartcards but, that really shouldn't matter if we can get Windows Authentication to let us into SSC.
I am not finding much in the way of documentation on how to do this. I saw in the December announcement () that "Windows Active Directory Service support " is supported in R4.40. I assumed this means I can use my internal Active Directory to authenticate my accounts but the install guide doesn't talk about this at all. I see new options for SSO and SAML configuration but not real documentation on how to use this for Active Directory.
What is the recommended method to authenticate users using Windows Authentication? Can I use SSO with Tomcat and Windows Authentication? Can I pass my authorized windows account through IIS over to Tomcat using an IIS rewrite rule?
We do not support Windows Authentication in 4.4 and earlier releases.
Active Directory (AD) is a user storage based on LDAP and can be accessed using the LDAP protocol. Having AD configured with SSC doesn’t automatically mean that you're using Windows Authentication.
For windows authentication you would have to setup an environment with AD, KDC (Kerberos Key Distribution Center) and SSC would have to support it. Which it will in a upcoming future release.
If you are using smart cards it may be a type of cards we’re going to support in a upcoming future release such as CAC with CA signed certificate stored on card. This is also not a Windows Authentication though, it can be configured together with AD.
Simply put, in 4.4 you can have following setup
AD/LDAP as user store with user passwords and SSC with LDAP enabled (user password LDAP attribute specified)
SAML IDP + SSC with LDAP enabled, usually both talking to same AD/LDAP directory, where IDP authenticate user and SSC authorize user based on AD entries
In a upcoming future release, you should be able to do all the above plus:
SPNEGO/Kerberos + SSC with LDAP enabled and configured for Kerberos authentication, using AD and KDC
X.509 certificate + SSC with LDAP enabled and configured for X.509 certificate authentication – CAC
This was targeted to come out with our 16.2 release but we weren't able to reach that goal. I'm confident that we'll have it for 17.1 and depending on how quickly we can get it done, I'll try to get it pushed out as a 16.2 patch.