Extended Authentication Scenarios

This blog describes the following scenarios with respect to customizing the Extended Authentication workflow for Rights Management, in Acrobat 10.1.1:

  1. Enabling Extended Authentication with the default ADEP Landing URL
  2. Enabling Extended Authentication with the Custom Landing URL
  3. Default Extended authentication workflow when Third Party Identity Providers are configured on ADEP Document Server
  4. Custom Extended authentication workflow when Third Party Identity Providers are configured on ADEP Document Server
  5. Using Customized page for listing SAML Authentications

SCENARIO 1 : Enable extended authentication with the default Adobe Landing URL

In this usecase, the Extended Authentication will work with the default settings. The default landing page has Adobe Branding.

  1. Log in to ADEP Admin UI.
  2. Go to Services -> Rights Management -> Configuration -> Server Configuration
  3. Enable the option ‘Allow Extended Authentication’
  4. In the Extended Authentication Landing URL, the default is :   http://localhost:8080/edc/extendedauthentication/welcome.jsp
  5. Replace localhost with the fully qualified host name.  (Note: Https protocol is recommended)
  6. Replace the port with a valid one.
  7. Save
  8. Create a policy that does not override global authentication options.
  9. Protect a PDF with such a policy.
  10. Open the policy in Acrobat 10.1 / Reader 10.1.

Fig 1. Default Landing URL

SCENARIO 2: Enable extended authentication with a Custom Landing URL

In this Scenario, instead of using the Adobe branded Landing page, Users will see a customized Authentication dialog. A war needs to be created and deployed on the ADEP DOC SERVER .

Please note the following items, while implementing the custom war:

1. The html forms should be designed in such a way that after successful authentication the html page closes automatically (look at secure/welcome.jsp in the war)

2. You should pass the username as j_username and password as j_password from your authentication form. You also need to pass the source_url and login_url as hidden params. Check login.jsp in the war for reference.

 Steps:

  1. Create a custom war, sample.war, that has the logic to accept user credentials and authenticate against the ADEP Doc Server
  2. Deploy sample.war on the ADEP Doc Server
  3. In the Server Configuration page in Admin UI, enter the link to this sample.war
  4.  For eg. https://fully.qualified.server.name:8443/demo/welcome.jsp
  5.  Add entries in the Config.xml under the allowed URL for SSO redirect:
  •  Go to Settings -> User management -> Configuration -> Manual Configuration and  click on export to export the config.xml file.
  •  Edit the exported config.xml and search for <node name=AllowedUrls“> under SSO. Add the below mentioned entries in the map for this node:

                        <entry key=”sso-l” value=”/ sample_/login.jsp”/>

                        <entry key=”sso-s” value=”/ sample_/welcome.jsp”>

                         < entry key=”sso-o” value=”/ sample_/logout.jsp”/>

The following Dailog is seen when  a protected document is opened   in Acrobat 10.1 or Reader 10.1

Fig 2. Custom Landing URL

SCENARIO 3 : Default Extended authentication workflow when Third Party Identity Providers are configured on ADEP Document Server

Extended Authentication can also make use of the different types of Authentications available on ADEP DOC SERVER. If SAML Providers are configured on ADEP DOC SERVER, then before seeing the Landing URL , the Users will see a page where all the Identity Providers, configured for SAML Authentications are listed down

Prerequisite: Configure SAML authentication on ADEP DOC SERVER server

The following screen is shown when a protected document is opened up in Acrobat 10.1 /Reader 10.1

Fig 3. Identity Provider List Page

First Link takes the User to Group B Identity Provider Authentication page (Fig 4). Second link takes the User to Group A Identity Provider Authentication Page (Fig 4)Click here to go to the ADEP Login Page’ takes the User to the default Landing Page (Fig1)

Fig 4. Identity Provider Page

SCENARIO4: Custom Extended Authentication workflow when SAML Providers are configured on ADEP Doc Server

If SAML Providers are configured on ADEP DOC SERVER, then before seeing the Customized Landing URL , the Users will see a page where SAML Authentications are listed down

Prerequisites:

  1. SAML authentications are configured on ADEP DOC SERVER server
  2. Custom War is deployed on the Server

Fig 4.1 First Screen

Fig 4.2 Third Link ‘Click Here’

SCENARIO 5: USING CUSTOM PAGE FOR LISTING SAML AUTHENTICATIONS

Along with the Landing URL, ADEP Doc Server provides a way to customize the page that lists down all the Authentication providers, configured on ADEP Doc Server ( Fig 3 and Fig 4.1).

 Steps:

  1. Create a Custom JSP and include it in a war file, demoJSP.war . Refer to the Custom.war attached.
  2. Deploy demoJSP.war in ADEP Doc server
  3. In the Admin UI, go to Settings -> User Manager -> SAML Server provider Settings
  4. In the Custom properties Section, add the following:                     saml.sp.discovery.url=/demoJSP/saml_discovery.jsp
  5. Open the protected Document in Acrobat 10.1/Reader 10.1

Fig 5. Customized IDP List Page

Extended Authentication on Sandboxed mode of Reader

On Sandboxed mode of Reader 10.1.1, an additional verification is required, for extended authentication.If the User choses to ‘Always allow’ the URL to be added to the trusted URLS , then this verification will not appear again, for that server.

Fig 6. Extended Authentication in Sandboxed mode of Reader 10.1.1

VN:F [1.9.22_1171]
Was this helpful? Please rate the content.
Rating: 0.0/10 (0 votes cast)

About Salma

Hi, I am working at Adobe Systems, Bangalore as a Lead Software Engineer.
This entry was posted in ADEP, Document Services and tagged , , , , . Bookmark the permalink.

One Response to Extended Authentication Scenarios

  1. krishnan says:

    Is it possible to export policies in xml format? or import policies in xml format