This blog describes the following scenarios with respect to customizing the Extended Authentication workflow for Rights Management, in Acrobat 10.1.1:
- Enabling Extended Authentication with the default ADEP Landing URL
- Enabling Extended Authentication with the Custom Landing URL
- Default Extended authentication workflow when Third Party Identity Providers are configured on ADEP Document Server
- Custom Extended authentication workflow when Third Party Identity Providers are configured on ADEP Document Server
- Using Customized page for listing SAML Authentications
SCENARIO 1 : Enable extended authentication with the default Adobe Landing URL
In this usecase, the Extended Authentication will work with the default settings. The default landing page has Adobe Branding.
- Log in to ADEP Admin UI.
- Go to Services -> Rights Management -> Configuration -> Server Configuration
- Enable the option ‘Allow Extended Authentication’
- In the Extended Authentication Landing URL, the default is : http://localhost:8080/edc/extendedauthentication/welcome.jsp
- Replace localhost with the fully qualified host name. (Note: Https protocol is recommended)
- Replace the port with a valid one.
- Create a policy that does not override global authentication options.
- Protect a PDF with such a policy.
- Open the policy in Acrobat 10.1 / Reader 10.1.
Fig 1. Default Landing URL
SCENARIO 2: Enable extended authentication with a Custom Landing URL
In this Scenario, instead of using the Adobe branded Landing page, Users will see a customized Authentication dialog. A war needs to be created and deployed on the ADEP DOC SERVER .
Please note the following items, while implementing the custom war:
1. The html forms should be designed in such a way that after successful authentication the html page closes automatically (look at secure/welcome.jsp in the war)
2. You should pass the username as j_username and password as j_password from your authentication form. You also need to pass the source_url and login_url as hidden params. Check login.jsp in the war for reference.
- Create a custom war, sample.war, that has the logic to accept user credentials and authenticate against the ADEP Doc Server
- Deploy sample.war on the ADEP Doc Server
- In the Server Configuration page in Admin UI, enter the link to this sample.war
- For eg. https://fully.qualified.server.name:8443/demo/welcome.jsp
- Add entries in the Config.xml under the allowed URL for SSO redirect:
- Go to Settings -> User management -> Configuration -> Manual Configuration and click on export to export the config.xml file.
- ““> under SSO. Add the below mentioned entries in the map for this node:
<entry key=”sso-l” value=”/ sample_/login.jsp”/>
<entry key=”sso-s” value=”/ sample_/welcome.jsp”>
< entry key=”sso-o” value=”/ sample_/logout.jsp”/>
The following Dailog is seen when a protected document is opened in Acrobat 10.1 or Reader 10.1
Fig 2. Custom Landing URL
SCENARIO 3 : Default Extended authentication workflow when Third Party Identity Providers are configured on ADEP Document Server
Extended Authentication can also make use of the different types of Authentications available on ADEP DOC SERVER. If SAML Providers are configured on ADEP DOC SERVER, then before seeing the Landing URL , the Users will see a page where all the Identity Providers, configured for SAML Authentications are listed down
Prerequisite: Configure SAML authentication on ADEP DOC SERVER server
The following screen is shown when a protected document is opened up in Acrobat 10.1 /Reader 10.1
Fig 3. Identity Provider List Page
First Link takes the User to Group B Identity Provider Authentication page (Fig 4). Second link takes the User to Group A Identity Provider Authentication Page (Fig 4)Click here to go to the ADEP Login Page’ takes the User to the default Landing Page (Fig1)
Fig 4. Identity Provider Page
SCENARIO4 Custom Extended Authentication workflow when SAML Providers are configured on ADEP Doc Server
If SAML Providers are configured on ADEP DOC SERVER, then before seeing the Customized Landing URL , the Users will see a page where SAML Authentications are listed down
- SAML authentications are configured on ADEP DOC SERVER server
- Custom War is deployed on the Server
Fig 4.1 First Screen
Fig 4.2 Third Link ‘Click Here’
SCENARIO 5: USING CUSTOM PAGE FOR LISTING SAML AUTHENTICATIONS
Along with the Landing URL, ADEP Doc Server provides a way to customize the page that lists down all the Authentication providers, configured on ADEP Doc Server ( Fig 3 and Fig 4.1).
- Create a Custom JSP and include it in a war file, demoJSP.war . Refer to the Custom.war attached.
- Deploy demoJSP.war in ADEP Doc server
- In the Admin UI, go to Settings -> User Manager -> SAML Server provider Settings
- In the Custom properties Section, add the following: saml.sp.discovery.url=/demoJSP/saml_discovery.jsp
- Open the protected Document in Acrobat 10.1/Reader 10.1
Fig 5. Customized IDP List Page
Extended Authentication on Sandboxed mode of Reader
On Sandboxed mode of Reader 10.1.1, an additional verification is required, for extended authentication.If the User choses to ‘Always allow’ the URL to be added to the trusted URLS , then this verification will not appear again, for that server.
Fig 6. Extended Authentication in Sandboxed mode of Reader 10.1.1