Web Single Sign-On Proxy

Configuring the Proxy Server

The proxy server should be configured to forward requests for SafeQ either to the root directory "/" or directly to the dedicated Web Single Sign-On authentication address "/wsso." There is no difference in behavior, as the root directory will automatically reroute forward the request to "/wsso". Once properly configured, users will automatically be redirected to the Dashboard page.

Enabling the WSSO Proxy in Dispatcher Paragon

  1. Log into the Dispatcher Paragon management interface as a user with rights to modify the system configuration (for example, as the default user admin).

  2. Navigate to System > Configuration and search for the webAuthenticationMethod property.

  3. Change the property value to Web Single sign-on Proxy Header to enable the single sign-on method.

  4. Additionally, search for wssoProxyHeaderName and enter the name for the HTTP Header that will contain the username as its value.

  5. Configure Tomcat's server.xml file to restrict incoming traffic to the IP addresses assigned to the dedicated proxy server(s) (see below).

  6. Save all changes and restart Konica Minolta Management Service to apply the settings.

Setting up server.xml to Filter Incoming Requests

Improperly configuring server.xml is an advanced configuration that can result in the Management service being unreachable. Be sure to back up all files before making any modifications.

Filtering incoming requests will prevent users from spoofing user credentials to gain privileged access to the system.

Server.xml is located in the directory %SAFEQ_HOME%\Management\tomcat\conf. Restricting incoming traffic to the IP addresses of dedicated proxy servers is leveraged by adding a RemoteAddrValve element. Additional details for configuring this XML element can be found in the Tomcat documentation: https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html

  1. Obtain the IP address(es) of the dedicated proxy server(s).

  2. Open server.xml in an editor, such as Notepad.

  3. Search for the following line:
    <Engine name="Catalina" defaultHost="localhost">

  4. Add or Edit the following line immediately below it, setting the allow attribute to the IP addresses both for localhost and for the dedicated proxy server:
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow= "127\.0\.0\.1" \>

    1. Include localhost (127.0.0.1) in the field.

    2. Periods in IP addresses must be escaped with a backslash "\" (e.g., 127.0.0.1 => "127\.0\.0\.1"

    3. Separate multiple IP addresses with a vertical pipe "|" and no spacing (e.g. 127.0.0.1 & 10.0.0.50 => "127\.0\.0\.1|10\.0\.0\.50"

    4. Wildcard IP addresses are permitted by using "\d+" for the wildcard value. (e.g. 10.0.0.* => "10\.0\.0\.\d+")