QPR Installation Instructions

Using Single Sign-On with QPR Products

Using Single Sign-On with QPR Products

Previous topic Next topic  

Using Single Sign-On with QPR Products

Previous topic Next topic JavaScript is required for the print function  

It is possible to use single sign-on authentication with QPR products. QPR Portal, QPR Web Services Foundation, QPR Modeling Client, and QPR Metrics client support the use of Integrated Windows Authentication (IWA) for login. In addition, generic single sign on (SSO) is available for QPR Portal. With QPR Portal only Microsoft Internet Information Services (IIS) is supported as a web server. See the instructions below for information on enabling single sign-on authentication:


Changes in QPR Configuration Manager


1. Change the following settings in the General tab of the QPR Foundation Server section:


Select the authentication method(s) you want to use in the "Authentication method" sub-section. For Single Sign-On to work, you need to have Windows NT and/or LDAP selected. In the case you are going to use Integrated Windows Authentication with LDAP authentication, make sure Active Directory is set as the naming convention for LDAP (this can be done in the LDAP Settings sub-section). Check also that cookies are not used for autologin, i.e. the "Do not use cookies for autologin" option is selected in the "Autologin settings" sub-section. Select also the desired group management method from the "User group" section. See the previous two chapters for more information about the user group management methods.





2. Change the following settings in the Single Sign On sub-section of the QPR Foundation Server section:


Select the products for which you want to enable Integrated Windows Authentication (IWA) or generic Single Sign On (SSO) by checking the desired checkboxes. In the case you selected QPR Portal in either section and QPR Web Application Server is located on a different computer than QPR.isapi.dll/QPR.CGI.exe, define also the IP address of the server computer containing QPR.isapi.dll/QPR.CGI.exe into the CGI binary IP field in the General Settings section. If QPR.isapi.dll/QPR.CGI.exe and QPR Web Application Server are located on the same computer, the CGI binary IP field can be left empty.




The Single Sign On (SSO) option enables you to use single sign on in trusted environments where a web request's header variable carries the login name of the authenticated user. In the case your portal environment supports setting header variables for authenticated users, you can utilize the generic single sign on support for authenticating to QPR Portal. This functionality enables integration for example with the SAP Logon Ticket system.


Using the SSO option requires also that qprsettings.dat in the CGI binary/ISAPI DLL folder (C:\Inetpub\wwwroot\qpr2012-2\Portal by default) is modified to define the name of the header variable containing the login name. Add a HDR_VAR_USR = <variable name> setting to the file.


Check log on account for QPR service


3. Make sure that QPR Service 2012.2 is run with an account that can make queries to Active Directory.


Restart QPR service


4. Start/restart QPR service so that changes take effect.



Check Microsoft Internet Information Services (IIS) settings


5. The following applies regardless of IIS version:

Anonymous access needs to be disabled and Windows Authentication enabled on the QPR2012-2 application / virtual directory and Portal virtual directory


On IIS 7 and newer, also make sure that the Windows Authentication feature is installed on IIS.





See Appendix D in the QPR Installation Instructions document for information about configuring QPR Web Services Foundation to use single sign-on.



Web browser settings in Microsoft Internet Explorer


Microsoft Internet Explorer supports Integrated Windows Authentication in its default configuration.



Web browser settings in Mozilla Firefox


To enable Integrated Windows Authentication in Mozilla Firefox, do the following:


1.Input about:config to the address bar

2.Acknowledge the warning and proceed

3.Input network.automatic as the filter

4.Double-click the network.automatic-ntlm-auth.trusted-uris setting.

5.Input the host name of your QPR Portal as the value, for example http://myserver. If you have multiple servers to allow, separate them with commas.