pp108 : OTDS Variables

OTDS Variables
This topic describes the available Variables that can be used in an OTDS type Authenticator.

Resolving Variables

While configuring an Authenticator, you can use Variables. You can add them at the Authenticator level, Organization level, and Shared level. The resolve algorithm for a variable searches for Authenticator specific variables first. If a variable is not found at the Authenticator level, then a search is done in the Organization level variables. If it is not found at both Authenticator level and Organization level, then it searches for the Shared level variables.

OTDS Variables

The following Variables can be specified.

Variable

Description

BASE_URL

This is a legacy variable. Define the public cluster URL instead.

IDP_RETURN_URL

When this variable is set, the Process Platform OTDS TCS redirects to this URL after validating the POSTed OTDS ticket from OTDS. That is, after the user signs in to OTDS, the browser is redirected to the URL as specified in this variable.
The IDP_RETURN_URL is used when the No Frame option in FrameOptions is set. Process Platform IDP integration is browser-based. All protocol redirects are done through the browser. When the No Frame option is used, the complete browser is redirected to the OTDS server URL. This means that the Process Platform context is completely lost in the browser. After the user has authenticated in OTDS, an OTDS ticket is POSTed to the Process Platform OTDS TCS. After validation, the TCS redirects the browser back to the URL configured in IDP_RETURN_URL.

IDP_RETURN_URL also can be used when you do not want to redirect to the CUSP start page, but to another page, such as an application XForm. The value specified only needs to be the part after the domain, for example /home/myorg or /home/myorg/com/acme/app/myform.caf.
BASE_URL Checks

When redirecting the browser to the OTDS server, a URL parameter called returnUrl must be passed in the URL. Part of the returnUrl is the above described BASE_URL. The following checks are done before the BASE_URL is used, between the configured BASE_URL and request URL as used by the user:

  • is the protocol same
  • is the domain same
  • is the port same

In some scenarios, such as when using a proxy with SSL offloading, these checks block usage of the BASE_URL. Therefore, the following properties can be used to disable these checks. They can either be put in the wcp.properties or be specified as a JRE parameter on the Single Sign-On Service container. The properties are:

Property

Description

authenticator.disable.baseurl.protocol.check

Disables the protocol check when using the BASE_URL value

authenticator.disable.baseurl.domain.check

Disables the domain check when using the BASE_URL value

authenticator.disable.baseurl.port.check

Disables the port check when using the BASE_URL value

Note: Default value for all the above checks is false; which means that all the checks are performed by default.