Interfacing CloudPortal Business Management (CPBM) with Enterprise-Level Authentication
by Marc Vaillancourt
In some organizations, CPBM’s integrated account-management functionality is insufficient to satisfy the demanding requirements of the corporate security department. It’s not for a lack of features, since CPBM offers a rather complete set of functionality out of the box: email verification, encrypted password (with salt), captcha support, account locking after multiple failed login attempts, lost password recovery, plus complete audit trail capability.
However, for some organizations, all these features mean nothing if an application doesn’t offer seamless integration with a centralized directory system (think LDAP, Active Directory, etc.) or single sign-on. Let’s see what additional flexibility Citrix has in store to address these needs.
Citrix does provide integration with LDAP systems for authentication purposes, but it doesn’t necessarily work as you might expect. Let’s look at it in details.
As a root user, if you navigate to Administration > Configuration > Integration, you can set the ldap.enable property to “True.” This setting pushes information about your CPBM users to an LDAP server using the connection information stored in the cloud.properties file:
ldap.url=ldap://<server ip>:389 ldap.base=<ldap base where CPBM will read/write account information> ldap.userdn=<user dn used to query/push account info, r/w access required> ldap.password=<password for above ldap.userdn>
Contrary to what you might expect, CPBM will not let you use your usual LDAP profile to log into the application, but instead creates another subtree in your LDAP database, to where it pushes a subset of the information originating from its user table. A consequence of this design is that one typical use of case of centralized user management — the ability to quickly remove application access from a user who is leaving the company — is not available. Similarly, changing your LDAP password at a pre-determined interval won’t apply to your CPBM login either.
To put it simply, this feature provides a way to externalize your CPBM account information, but doesn’t let you easily provision new CPBM user accounts from existing LDAP info, nor let you log into it with the same account you use across all other apps. To get these conveniences, you might want to leverage this next feature.
Single sign-on (SSO) has become very popular in the last few years. We all use a large variety of applications in our day-to-day work, and we can safely affirm that:
- Nobody likes having to remember many different passwords.
- Nobody likes to fill in a separate login form every time they navigate to a different web application.
CAS is a very popular open-source SSO solution that provides authentication against a variety of backend systems, such as Active Directory, databases, Radius, X.509 certificates, etc.
If your organization already uses CAS, you can turn on CPBM’s integration with CAS by uncommenting the following line in the cloud.properties file:
You will also need to configure a few CAS-related URLs in the same file to let CPBM know how to interface with your organization’s CAS server. Finally, you must configure the CAS server so that it knows how to access CPBM’s database to perform authentication.
Citrix provides details on how to configure CAS with CPBM.
In an ideal world, CPBM would let you auto-provision new accounts based on existing LDAP user profiles and potentially even derive your users’ permissions depending on their existing attributes (e.g., the groups they are part of) or their location in the org tree. Ideally, it would also support a much wider range of SSO solutions.
Hopefully, the upcoming CPBM SDK will provide a partial answer, by at least enabling outside parties to create those missing bridges.