Perforce Public Knowledge Base - Understanding Single Sign-On (SSO) authentication triggers
× PRODUCTS SOLUTIONS CUSTOMERS LEARN SUPPORT
Downloads Blog Company Integrations Careers Contact Try Free
Menu Search
Perforce
Reset Search
 

 

Article

Understanding Single Sign-On (SSO) authentication triggers

« Go Back

Information

 
Problem
How do auth-check-sso triggers work?
Solution

SSO authentication to the Perforce Server can be implemented using an auth-check-sso trigger. The auth-check-sso trigger is designed to work with a Client-side script that sends information to a Server-side script.   In a simple case, the Client-side script encrypts a password and the Server-side script decrypts this password. If either the Client-side script or the Server-side script produce a non-zero exit code, authentication fails.

Both STDOUT and STDERR of the Client-side script are sent to the Server.  Only a single line is processed by the Server.  You may use a script to combine outputs to create the single line.

The Server-side script can write to STDOUT and STDERR; both are sent to the client as informational messages.

Note: The Perforce Server must be restarted after the auth-check-sso trigger is defined.

Single Sign-On functionality was introduced as a supported feature in the 2011.1 version of the Perforce Service.

 Below are simple, step-by-step examples to show how the auth-check-sso trigger works on Windows and Linux.

See our System Administrators Guide Auth-check and service-check triggers for other examples.


Unix Example

Below is an example that

A. Passes the user name (%user%) to the server script
B. Shows output from standard error (STDERR)


Perforce server: gabriel
Perforce client: raphael

1. Create trigger table

2. Set up P4LOGINSSO environmental variable

3. Write client side script as referenced in P4LOGINSSO
    See /home/perforce/bruno/ssoclientside examples below.

4. Write server side script as referenced in trigger table

Setup:

p4 triggers
    Triggers:
        sso auth-check-sso auth "/home/bruno/perforce/ssoserverside %user%"
 
[perforce@raphael bruno]$ p4 set
P4CONFIG=.p4c (config '/home/perforce/bruno/.p4c')
P4LOGINSSO=/home/perforce/bruno/ssoclientside (config)
P4PORT=gabriel.perforce.com:1666 (config)
P4USER=bruno (config)
[perforce@raphael bruno]$


    
Example 1

Client side: STDOUT, STDERR, non-zero exit code
Server side: STDOUT, zero exit code
[perforce@raphael bruno]$ vi /home/perforce/bruno/ssoclientside

[perforce@raphael bruno]$ cat /home/perforce/bruno/ssoclientside
#!/bin/bash
# Script with both standard out and standard error
echo "this is client side standard out."
ls /bogus/blah
exit 1

[perforce@raphael bruno]$ p4 logout
User bruno logged out.

[perforce@raphael bruno]$ p4 login
Single sign-on on client failed: this is client side standard out.
ls: /bogus/blah: No such file or directory

[perforce@raphael bruno]$ p4 login -s
Perforce password (P4PASSWD) invalid or unset.

[bruno@gabriel 20131]$ cat /home/bruno/perforce/ssoserverside
#!/bin/sh
read CLIENTINPUT
date > /tmp/sso.txt
echo "USER is $1"
echo "Server side script writes $CLIENTINPUT" >> /tmp/sso.txt
echo "Server side script sees: $CLIENTINPUT from user $USER"
exit 0

[bruno@gabriel 20131]$ cat /tmp/sso.txt
Wed Jun  5 15:37:05 PDT 2013
Server side script writes ls: /bogus/blah: No such file or directory Hello there

Result:
"Single sign-on on client failed" message displayed from non-zero client exit code
STDOUT from client side displayed on client
STDERR displayed on client because client script failed
Authentication fails because client side script fails with "Single sign-on on client failed" error.
Server side information not displayed because process does not get past the client side    
    

Example 2
  
Client side: STDOUT, STDERR, zero exit code
Server side: STDOUT, zero exit code
$ cat /home/perforce/bruno/ssoclientside
#!/bin/bash
# Script with both standard out and standard error
echo "this is client side standard out."
ls /bogus/blah
exit 0

$ cat /home/bruno/perforce/ssoserverside
#!/bin/sh
read CLIENTINPUT
date > /tmp/sso.txt
echo "USER is $1"
echo "Server side script writes $CLIENTINPUT" >> /tmp/sso.txt
echo "Server side script sees: $CLIENTINPUT from user $USER"
exit 0

[perforce@raphael bruno]$ p4 logout
Perforce password (P4PASSWD) invalid or unset.

[perforce@raphael bruno]$ p4 login
USER is bruno
Server side script sees: this is client side standard out. from user bruno
User bruno logged in.

[perforce@raphael bruno]$ p4 login -s
User bruno ticket expires in 11 hours 59 minutes.

[bruno@gabriel 20131]$ cat /tmp/sso.txt
Wed Jun  5 15:46:50 PDT 2013
Server side script writes this is client side standard out.

Result:
STDOUT from server side is displayed on the client evidenced by "Server side script sees"
Second line of output which contains STDERR is not displayed on client because only one line is passed to the server
Authentication succeeds because both client and server have zero exit codes.
    
    
Example 3

Client side: STDOUT, STDERR, zero exit code
Server side: STDOUT, non-zero exit code
[perforce@raphael bruno]$ cat /home/perforce/bruno/ssoclientside
#!/bin/bash
# Script with both standard out and standard error
echo "this is client side standard out."
ls /bogus/blah
exit 0

[bruno@gabriel 20131]$ cat /home/bruno/perforce/ssoserverside
#!/bin/sh
read CLIENTINPUT
date > /tmp/sso.txt
echo "USER is $1"
echo "Server side script writes $CLIENTINPUT" >> /tmp/sso.txt
echo "Server side script sees: $CLIENTINPUT from user $USER"
exit 1

[perforce@raphael bruno]$ p4 logout
User bruno logged out.

[perforce@raphael bruno]$ p4 login
Login invalid.
'sso' validation failed: USER is bruno
Server side script sees: this is client side standard out. from user bruno

[perforce@raphael bruno]$ p4 login -s
Perforce password (P4PASSWD) invalid or unset.

[bruno@gabriel 20131]$ cat /tmp/sso.txt
Wed Jun  5 16:53:32 PDT 2013
Server side script writes this is client side standard out.

Result:

STDOUT from server side is displayed on the client evidenced by "Server side script sees"
Second line of output which contains STDERR is not displayed on client because successful client script will pass only one line to the server.
Authentication fails because server side script ends with non-zero exit code.  Like any failed trigger, we see "validation failed". 

    
Example 4


Client side: STDOUT, STDERR, non-zero exit code
Server side: STDOUT, non-zero exit code
[perforce@raphael bruno]$ cat /home/perforce/bruno/ssoclientside
#!/bin/bash
# Script with both standard out and standard error
echo "this is client side standard out."
ls /bogus/blah
exit 1

[bruno@gabriel 20131]$ cat /home/bruno/perforce/ssoserverside
#!/bin/sh
read CLIENTINPUT
date > /tmp/sso.txt
echo "USER is $1"
echo "Server side script writes $CLIENTINPUT" >> /tmp/sso.txt
echo "Server side script sees: $CLIENTINPUT from user $USER"
exit 1

[perforce@raphael bruno]$ p4 logout
Perforce password (P4PASSWD) invalid or unset.

[perforce@raphael bruno]$ p4 login
Single sign-on on client failed: this is client side standard out.
ls: /bogus/blah: No such file or directory

[perforce@raphael bruno]$ p4 login -s
Perforce password (P4PASSWD) invalid or unset.

(Nothing written to /tmp/sso.txt)

[bruno@gabriel 20131]$ cat /tmp/sso.txt
Wed Jun  5 16:53:32 PDT 2013
Server side script writes this is client side standard out.

Result:
STDOUT from server side is not displayed on the client
Second line of output which contains STDERR is displayed on client because of client side script failure
Authentication fails because client side script fails with "Single sign-on on client failed" error.
Server side information not displayed because process does not get past the client side

   
Example 5
If we want both STDOUT and STDIN shown, we need
to have one line of output. To do this, we must redirect STDOUT
to STDIN then combine all outputs into one line.
$ cat /home/perforce/rfong/ssoclientside
#!/bin/bash
# Script with standard error only
MSG1=`ls /bogus/blah 2>&1`
MSG2=`echo Hello there`
echo "$MSG1 $MSG2"
exit 0
Related Links

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255