EnterWorks REST API Access and Single Sign-on (SSO) - Precisely_EnterWorks - EnterWorks - 11.0

EnterWorks Guide

Product type
Software
Portfolio
Verify
Product family
EnterWorks
Product
Precisely EnterWorks
Precisely EnterWorks > EnterWorks
Version
11.0
Language
English
Product name
Precisely EnterWorks
Title
EnterWorks Guide
Copyright
2024
First publish date
2007
Last updated
2025-01-07
Published on
2025-01-07T07:44:20.997000

Configuring user access through the EnterWorks REST API in an SSO environment.

In order for an application to use a user's identity to access EnterWorks through the EnterWorks REST API, EnterWorks must be able to authenticate the user. The user must have an EnterWorks account and user group memberships must be assigned. Additionally, EnterWorks must have the user's password or be configured to request user authentication through an external authentication mechanism, such as Azure Active Directory.

Depending on how EnterWorks is configured to work in the SSO environment, the user's EnterWorks user account is created in one of the following ways:

  • The EnterWorks user account is created manually by the EnterWorks business administrator. Typically the user's EnterWorks password would not be set by the EnterWorks business manager because the password is managed by the SSO Identity Provider (IDP).
  • Or if EnterWorks is configured for automatic provisioning, the user's account is created the first time the user attempts to access EnterWorks through SSO, the IDP would provide EnterWorks with the user's name and group assignments, but would not give EnterWorks the user's password.

Once the user's EnterWorks account is created, if an application attempts to use the user's identity to access EnterWorks through the EnterWorks REST API, since EnterWorks does not have a password for the user, it would be unable to authenticate the request. To allow the user access to EnterWorks through the REST API, EnterWorks must be configured in one of the following ways:

For more information about automatic provisioning or how EnterWorks interacts with an IDP provider, see Configure Single Sign-on (SSO).

EnterWorks manages the user's password locally

Once the user's EnterWorks account has been created, an EnterWorks business manager can manually add a password to the user's account. Since the IDP and EnterWorks never transmit the user's password to each other, the password in the user's EnterWorks account would be completely separate from the password the IDP uses to authenticate the user. The IDP uses the password it has to authenticate the user, and when a request comes to EnterWorks through the REST API, EnterWorks would authenticate the request by checking it against the password EnterWorks is managing locally.

If EnterWorks is managing the user's password locally, if the user is deleted from the SSO environment or changes their SSO password, those changes will not be propagated to EnterWorks. The user will still be able to use the REST API to access EnterWorks unless an EnterWorks business administrator deletes the user from EnterWorks or changes their EnterWorks password.

Before you can configure EnterWorks to manage a user's password locally in the SSO environment:
  • EnterWorks must already be configured for SSO, see Configure Single Sign-on (SSO).
  • The user's EnterWorks account must already be created, either by the EnterWorks business administrator manually creating the account or by EnterWorks creating the account using automatic provisioning.
To configure EnterWorks to manage the user's EnterWorks password locally:
  1. In the Classic UI, open the user's account for editing. To do so, open the Feature bar, expand Users and Groups, and select Users.

  2. Change the user's LDAP User setting to No. This configures EnterWorks to manage the user's password locally.

  3. Set the password the user will use to log in through the REST API. Enter a Password and enter it again in the Confirmation Password field.

  4. Select Save to save your changes to the user account.

The same Active Directory user domain is used to authenticate users for the SSO IDP and EnterWorks

If the SSO IDP uses Active Directory to authenticate users, EnterWorks can be configured to request Active Directory authenticates users in the same domain the IDP uses. Since Active Directory would be accessing the same user account information to respond to authentication requests by both the IDP and EnterWorks, if the IDP changes a user's password or deletes the user, the changes would also affect the user's access to the EnterWorks UI and their access through the EnterWorks REST API.

To configure EnterWorks to authenticate REST API requests through Active Directory: