On Jan 5, 2019, at 2:00 PM, Robert wrote:
> Tim, I just toggled on the checkbox on the server that activates this feature
> but I’ve not implemented the code just yet…. So, how do you specify that you
> are logging in with the local 4D password instead of SSO? Modifier keys?
> Hidden Menu? Also, I’m not sure when the SSO login is in effect. Once the SSO
> code is in effect will you lock yourself out if the authentication server is
> down or you are developing on a different network without AD services?
Hi Robert,
You don’t want to use 4D’s password system directly. You can use it behind the
scenes so that you have access to “Current user” command as has been discussed
here at length. But for SSO to work, you don’t want the user to have to do
anything. They do absolutely nothing. So do not let them chose to use SSO or
not.
I would not plan on the authentication server every being down. That is total
death for a Windows network. That means NOBODY can log into any computer on the
network. So if the authentication server is down, accessing your 4D database
will be the least of their worries. They won’t even be able to boot their
computers or access network file shares.
One way to look at SSO in 4D is to boil it down to the implementation basics.
You need to identify the user automatically without any interaction from a
person.Who is trying to get access to my database? That’s it.
You can use “Current system user” command to get the name of the user that has
logged into the machine. On Windows OS this is the windows login name.
4D SSO implementation boils down to a single command “Current client
authentication”. Use that instead of “Current system user” command. This will
give you a guaranteed Windows login name that has been authenticated via
Windows Active Directory. This gives you reliable user identification.
Seems like people just can’t seem to get their heads around using 4D’s SSO
system to replace an existing authentication system. So i’m going to provide
some code that I use in my “Login” method. It is designed to use 4D SSO
implementation as primary authentication, but it also works without it and on
macOS. <>authenticatedUser_b is used in other areas of the application so that
I know if i used SSO to authenticate.
// get the Windows login name
$windowsUserLogin_t:=Current client authentication($domain_t;$protocol_t)
// check login validity
Case of
: (Is macOS) // running on macOS
$windowsUserLogin_t:=Current system user
<>authenticatedUser_b:=False
: (Not(Is compiled mode))
$windowsUserLogin_t:=Current system user
<>authenticatedUser_b:=False
: ($windowsUserLogin_t="") // an authenticated login could not be
retrieved
<>authenticatedUser_b:=False
// show user messasge and quit
Msg ("Unable to authenticate user and retrieve Windows Login
Name"+Char(Carriage return)+\
"Login Name: "+Current system user+Char(Carriage return)+\
"Domain: "+$domain_t+Char(Carriage return)+\
"Protocol: "+$protocol_t;"Error")
QUIT 4D
Else // got authenticated login situation
<>authenticatedUser_b:=True
End case
// look for user and load preferences and groups
If ($windowsUserLogin_t#"")
READ ONLY([Users])
QUERY([Users];[Users]WindowsLoginName=$windowsUserLogin_t)
If (Records in selection([Users])=1)
// save user name & ID
<>CurrentUserName:=[Users]UserName
<>CurrentUserID:=[Users]ID
// load preferences
LoadUserPreferences ([Users]ID)
// load privileges
GetUserGroups ([Users]ID;-><>CurrentUserGroupsA)
$loginSuccessful_b:=True
End if
End if
// display dialog of User to login
If (Not($loginSuccessful_b))
<>authenticatedUser_b:=False
OpenWindow (270;270;Movable dialog box;"Login";2)
DIALOG([Dialogs];"Login")
CLOSE WINDOW
End if
The above code first tries to use "Current client authentication”. If 4D Client
is running on Windows and 4D is configured to have SSO turned on — and it is
working — you get a $windowsUserLogin_t value. The remaining code deals with if
SSO is not available for use such as if you are not running compiled or are
running on macOS. Convenience code basically for my use when doing development
and testing.
Once you have a user login name you can depend on — that’s what SSO and the
“Current client authentication” command does for you — you can then check if
that user login name is allowed into your database. In my case I just check for
a record in the [Users] table.
The above code also handles the situation where authentication totally fails
and as a very last resort