Applies To:

Show Versions Show Versions

Manual Chapter: Single Sign-On Methods
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

What are the supported SSO methods?

Access Policy Manager® supports the following SSO authentication methods.

SSO method Description
HTTP Basic Auth Access Policy Manager uses the cached user identity and sends the request with the authorization header. This header contains the token Basic and the base64-encoded for the user name, colon, and the password.
HTTP Forms Upon detection of the start URL match, Access Policy Manager uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user.
HTTP Forms - Client Initiated Upon detection of the request for logon page (URI, header, or cookie that is configured for matching the request), Access Policy Manager generates JavaScript code, inserts it into the logon page and returns the logon page to the client, where it is automatically submitted by inserted JavaScript. APM processes the submission and uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user.
HTTP NTLM Auth v1 NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server.
HTTP NTLM Auth v2 NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server. This version of NTLM is an updated version from NTLM v1.
Kerberos This provides transparent authentication of users to Windows Web application servers (IIS) joined to Active Directory domain. It is used when IIS servers request Kerberos authentication; this SSO mechanism allows the user to get a Kerberos ticket and have Access Policy Manager present it transparently to the IIS application.

About the Single Sign-On configuration object

Access Policy Manager supports various SSO methods. Each method contains a number of attributes that you need to configure properly to support SSO.

Mis-configuring SSO objects for any of these authentication methods (HTTP Basic, NTLM v1 and v2, and Kerberos) could disable SSO for all authentication methods for a user's session when the user accesses a resource with the mis-configured object. The exceptions are Forms and Forms - Client Initiated, which are the only SSO methods that are not disabled when any other method fails due to a mis-configured SSO object.

Configuring SSO using HTTP Basic authentication method

With the HTTP Basic method of authentication, the SSO plug-in uses the cached user identity and sends the request with the authorization header. This header contains the Basic token and the base64-encoding of the user name, colon, and the password.
  1. On the Main tab, expand Access Policy, and click SSO Configurations. The SSO Configuration List screen opens.
  2. From the menu bar, select SSO Configurations by Type and select an SSO type from the list. A screen appears, displaying SSO configurations of that type.
  3. Click Create. The New SSO Configuration screen opens.
  4. Type a name for the SSO object.
  5. In the Credentials Source area, specify the user name and password you want cached for Single Sign-On.
  6. Click Finished.

General SSO object attributes

Of these general attributes, the Username source attribute applies to all SSO methods.

Name of attribute Description Session variable defaults
SSO method Defines the authentication method for your SSO configuration object. You can select from the following choices: HTTP Basic, Form Based, NTLMV1, NTLMV2, or Kerberos. N/A
Username Source Defines the source session variable name of the user name for SSO authentication. session.sso.token.last.username
Password Source Defines the source session variable name of the password for SSO authentication. session.sso.token.last.password
Username Conversion Converts pre-Windows 2000/UPN username input format to the format you want to use for SSO. For example, convert domain\username or username@domain to username. session.sso.domain.source

Configuring SSO using HTTP forms authentication method

With the HTTP forms method of authentication, upon detection of the start URL match, the SSO plug-in uses the cached user identity to construct and send the HTTP form-based POST request on behalf of the user.
  1. On the Main tab, expand Access Policy, and click SSO Configurations. The SSO Configuration List screen opens.
  2. From the menu bar, click SSO Configurations By Type and select Forms from the list. A list of Form Based Configurations is displayed.
  3. Click Create. The New SSO Configuration screen opens.
  4. Type a name for the SSO object.
  5. From the Use SSO Template list, select the template you want to use. The screen refreshes to show additional settings applicable to the specific template.
  6. In the SSO Method Configuration area, specify all relevant parameters. Refer to the online help for specific information on each parameter.
  7. Click Finished.

HTTP Forms SSO object attributes

The following object attributes apply specifically to the HTTP Forms SSO method.

Name of Attribute Description Session Variable Supported
Start URI Defines the start URI value. HTTP form-based authentication executes for SSO if the HTTP request URI matches the start URI value. You can specify multiple start URI values in multiple lines for this attribute. s start_uri
Pass Through If you check this box, cookies presented in the form will be propagated to the client browser.  
Form Method Defines the method of the HTTP form-based authentication for SSO. The options are GET or POST. By default, the form method value is set to POST. However, if you specify GET, the SSO authentication method becomes an HTTP GET request.  
Form Action Defines the form action URL used for HTTP authentication request for SSO. For example, /access/oblix/apps/webgate/bin?/webgate.dll. If you do not specify a value for this attribute, the original request URL is used for SSO authentication. form_action
Form Parameter For User Name Defines the parameter name of the login user name. For example, the user ID is specified as the attribute value if the HTTP server expects the user name in the form of userid=. form_parameter
Form Parameter for Password Defines the name of the login password. For example, Pass is specified as the attribute value if the HTTP server expects the password in the form of pass=.  
Hidden Form Parameters/Values Defines the hidden form parameters required by the authentication server login form at your location. You must enter hidden parameters, like this: param1 value1 param2 value2. Separate each parameter's name and value by a space, and not by an equal sign. Each parameter must start on a new line.  
Successful Logon Detection Match Type Defines how Access Policy Manager detects whether the user was successfully authenticated by the server. You can select one:
  • By Resulting Redirect URL: Specifies that the authentication success condition is determined by examination of the redirect URL from the HTTP response. You can specify multiple values for this option.
  • By Presence Of Specific Cookie: Specifies that the authentication success condition is determined by the presence of the named cookie in the response. Cookie value is random and cannot be specified; cookie name is usually known. This option uses only one defined value.
success_match_value
Successful Logon Detection Match Value Defines the value used by the specific success detection type; that is, the redirect URL or cookie name.  

Configuring SSO using NTLM v1 authentication method

With this method of authentication, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to a server.
  1. On the Main tab, expand Access Policy, and click SSO Configurations. The SSO Configuration List screen opens.
  2. Click Create. The New SSO Configuration screen opens.
  3. From the SSO method list, select NTLM v1.
  4. In the SSO Method Configuration area, specify all relevant parameters. Refer to the online help for specific information on each parameter.
  5. Click Finished.

Configuring SSO using NTLM v2 authentication method

With this method of authentication, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to a server. This version of NTLM has been updated from version 1.
  1. On the Main tab, expand Access Policy, and click SSO Configurations. The SSO Configuration List screen opens.
  2. Click Create. The New SSO Configuration screen opens.
  3. From the SSO method, select NTLMV2.
  4. In the SSO Method Configuration area, specify all relevant parameters. Refer to the online help for specific information on each parameter.
  5. Click Finished.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)