Applies To:

Show Versions Show Versions

Manual Chapter: Form-based Client-initiated Single Sign-On Method
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Why use form-based client-initiated SSO authentication?

You can use the Form-based Client-initiated SSO method to create forms-based SSO configurations that are suitable for many use cases. For example, you can use this SSO method to support web applications that run JavaScript in the browser and need to maintain application state during the logon process and for web applications that present multiple logon screens.

Basic configuration of form-based client-initiated SSO

To create a form-based client-initiated SSO configuration object, you must configure at least one form and include at least one form parameter. A form parameter represents an input element on an HTML logon form, such as a form field for entering username or password, or, optionally, for entering a hidden form parameter.

Form-based client-initiated SSO configuration supports three sets of matching criteria for you to define using the following menu items.

  • Form Detection (Mandatory) - Configure the SSO module to detect the HTTP request for the logon page by matching the HTTP URI, header, or cookie that you specify. You must enter data that is specific to the application. Entry of multiple URIs is supported. Form detection is successful when the request matches one of the configured items either partially or fully, depending on whether Request Prefix is enabled in the Advanced Properties section.
  • Form Identification (Optional) - Specify how to detect the form within the HTTP body of the logon page. The default setting is Form Parameters; this setting enables identification of the login form parameter fields based on the values entered for the form parameters in the General Properties dialog. Alternatively, you can specify that the form be identified using other data present in the form, such as the ID, name, or action attributes, or the form order. Defaults to Form Parameters.
  • Successful Logon Detection (Optional) - Configure the SSO module to detect whether logon was successful by checking for the presence of a cookie or a redirect URI. Defaults to None (logon detection is not performed).

The majority of web applications have a single logon page with one logon form. You need to define a single form for these applications. In less usual cases when an application has multiple logon pages with different logon forms, you will need to create multiple forms, one for each logon page. If multiple logon pages use the same form, you will need only one form with a list of URIs for all logon pages.

How does form-based client-initiated SSO authentication work by default?

The following figure illustrates the default behavior of the form-based client-initiated SSO authentication method.

Form-based client-initated SSO Default Behavior Form-based client-initiated SSO default behavior
  1. The user logs on to Access Policy Manager and APM executes the access policy. This populates the session variables with the user credentials.
  2. The user requests the application logon page. This GET request is passed to the application web server verbatim.
  3. The application web server replies with 200 OK and serves the logon page.
  4. APM generates JavaScript and inserts it into the logon page before returning it to the user. The JavaScript assigns values to form parameters, as specified in the form configuration. The password parameter is assigned a password token rather than the actual user password.
  5. The JavaScript runs on the client side. The logon page is not displayed to the user; user input is locked out. Without delay, the form is submitted using POST. The form parameters and their values, including username and password token, are sent to APM.
  6. APM then replaces the password token with the actual user password, as well as other form parameters specified in the form configuration with their configured values.
  7. The POST, along with the real user credentials from step 1, is sent to the web server.
  8. The application start page is served by the webserver, and sent to the client verbatim. Optionally, APM performs detection of successful logon by examining HTTP response headers, looking for a cookie or redirect Location URI.

About advanced configuration options for form-based client-initiated SSO authentication

You can change some aspects of the Form-based Client-initiated SSO default behavior by configuring optional properties.

  • Advanced Properties - Enables you to change the default properties for form request and form submittal.
  • JavaScript Insertion - Enables you to change the automatically generated JavaScript code that gets inserted into the logon page in one of these ways. Replace it completely with custom code or add extra code to it by specifying the application JavaScript functions to call prior to submitting a logon form.
  • Form Submit Detection - Enables the SSO module to automatically detect the application HTTP request that submits user credentials; if automatic detection is disabled, the SSO module instead detects form submittal by using an HTTP header, cookie, or HTTP URIs that you specify. Defaults to enabled (automatic).

Configuring SSO using form-based client-initiated authentication method

With the HTTP form-based client-initiated method of authentication, when Access Policy Manager® detects the request for logon page (URI, header, or cookie that is configured for matching the request), APM generates JavaScript code, inserts it into the logon page,and returns logon page to the client, where it is automatically submitted by the inserted JavaScript. The APM processes the submission and uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user.
  1. On the Main tab, expand Access Policy, and click SSO Configurations. The SSO Configuration List screen opens.
  2. From the menu bar, select SSO Configurations by Type and select an SSO type from the list. A screen appears, displaying SSO configurations of that type.
  3. Click Create over the Available Forms-Client Initiated Configurations table. A New Forms-Client Initiated window pops up.
  4. Type a name for the SSO object.
  5. Click Create over the Forms in this SSO Configuration table. You must create at least one form to complete the SSO configuration. The New Form Definition window appears.
  6. Type a name in the Form Name field and click Create above the Forms Parameters table. The New Form Parameter window appears.
  7. Select a Parameter Type, fill in a name and a value for the parameter and click OK. You are returned to the New Form Definition window where the new form parameter is displayed.
  8. Click OK. The new SSO configuration appears in the Available Forms-Client Initiated Configurations table and the new form appears in the Forms for Forms-Client Initiated SSO Config table.

Forms-based client-initiated object attributes

The following tables list the attributes that compose an SSO forms-based client-initiated configuration.

SSO configuration properties

Table 1. SSO configuration properties
Field Value
SSO Configuration Name Specifies the name of the configuration. It must be unique.
SSO Description Specifies a description. Optional.
Log Level Valid values are listed. Defaults to Notice.

Form Definition

Table 2. General Properties
Field Value
Form Name Specifies the name of the form. It can be any name; it does not need to match the actual name of the HTML form.
Form Description Specifies a description. Optional.
Table 3. Form Parameter Properties
Field Value
Parameter Type Specifies whether the parameter represents username, password, or a custom parameter.
Username Parameter Name Specifies the parameter name for the user name. Defaults to username.
Note: This parameter name must match the parameter name for the user name that used in the logon page; to determine the correct name, view the logon page source.
Username Parameter Value Specifies the value of the username. Defaults to a session variable. (For information about setting a value, see Form Parameter Value.)
Password Parameter Name Specifies the parameter name for the password. Defaults to password.
Password Parameter Value Specifies the value of the password. Defaults to a session variable. (For information about setting a value, see Form Parameter Value.)
Secure Specifies whether or not the parameter is a password. Defaults to checked for Password parameter type; otherwise defaults to unchecked.
Form Parameter Name Specifies the name of a custom parameter.
Form Parameter Value Specifies the value of the custom parameter. This is usually the name of a session variable. The value could also be a literal string or a combination of strings and session variable names.
Note: If the session variable is not found when the SSO request is processed, the value of the corresponding POST parameter will be empty.
Table 4. Form Detection
Field Value
Detect Form by Specifies which element of the HTTP request headers is used to identify the application request for logon page :Cookie, Header, or URI. Defaults to URI.
Cookie Specifies a cookie name. The form is identified by the presence (default) or absence (configurable with Advanced Properties) of this cookie.
Header Specifies a header name and value. The form is identified by the presence (default) or absence (configurable with Advanced Properties) of this header.
URI Specifies one or more URIs (one per line). The form is identified by a successful match (default) or failed (configurable with Advanced Properties) against this list of URIs.
Table 5. Form Identification
Field Value
Identify Form by Specifies how the HTML logon form is found in the HTML body of the logon page. If there is more than one form on the logon page matching the criteria, the first match is used. Values are ID Attribute, Name Attribute, Action Attribute, Form Order, Form Parameters. Defaults to Form Parameters.
Form Parameters Specifies that the form parameters, which have already been defined, are used to find the form. There is nothing more to configure.
Form ID Specifies the form ID that is used to identify the form.
Form Name Specifies the value of the form name.
Form Action Specifies the value of the action attribute.
Form Order Specifies the relative order of the form on the logon page (starting from 1).
Table 6. Successful Logon Detection
Field Value
Detect Logon by Specifies whether and how to detect a successful logon. Values are Presence of Cookie, Redirect URI, and None. Defaults to None, in which case no determination is made.
Cookie Name Specifies the cookie name that identifies successful logon.
Redirect URI Specifies the redirect URI that identifies successful logon.
Table 7. Advanced Properties - Form Request
Field Value
Request Method Specifies whether the request method is GET or POST. Defaults to GET.
Request Negative When selected, specifies that the form be detected by failing to match the criteria specified for Form Detection. The form is then detected by the absence of the specific cookie or header or by the failure to match the URIs. Defaults to unchecked.
Request Prefix This configuration option allows you to match on a partial string. If not selected, the match must be verbatim. Defaults to selected.
Table 8. Advanced Properties - Submit Request
Field Value
Request Method Specifies whether the request method is GET or POST. Defaults to POST.
Submit Request Negative When selected, specifies that the form be detected by failing to match the criteria specified for Form Detection. The form is then detected by the absence of the specific cookie or header or by the failure to match the URIs. Defaults to unchecked.
Submit Request Prefix This configuration option allows you to match on a partial string. If not selected, the match must be verbatim. Defaults to selected.
Table 9. JavaScript Injection
Field Value
Injection Method Specifies whether to use the default JavaScript that APM creates. Defaults to Auto.
Extra Javascript Specifies more JavaScript to run at the end of the automatically generated JavaScript.
Note: Check the logon page source to determine whether any JavaScript functions are called on submit.
Custom Javascript Specifies JavaScript to run in place of the automatically generated JavaScript.
Table 10. Form Submit Detection
Field Value
Disable Auto detect submit Defaults to not selected.

Form-based client-initiated SSO configuration examples

Examples are provided for various applications so that you can quickly create form-based client-initiated SSO configurations for them.

DWA form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Domino Web Access (DWA).

Table 11. DWA Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name ssov2-dwa SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name testform New Form Definition: General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • Username
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • Password
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI / Form Detection
Identify Form by Name Attribute Form Identification
Form Name STLogonForm Form Identification
Detect Logon by Presence of Cookie Successful Logon Detection
Cookie Name DomAuthSessId Successful Logon Detection
Request Prefix Not selected Advanced Properties

DWA form-based client-initiated SSO screen-by-screen example

This example shows how to create a form-based client-initiated SSO configuration for Domino Web Access (DWA) by providing a screen-by-screen illustration.

DWA Form-based Client Initiated SSO Configuration Screens

Form-based client-initiated SSO properties window SSOv2 Properties
  1. You must type a name for the SSO configuration.
  2. Start creating a form.
Form-based client-initiated SSO new form definition initial window New Form Definition - General Properties
  1. You must type a name for the form.
  2. Repeat for each form parameter that you need to create.
Form-based client-initiated SSO form parameter properties username example Form Parameter Properties - Username

For the Username parameter type, the default parameter name is username. In the above example, the parameter name has been changed to Username. This is done because, for DWA, a parameter name must start with an uppercase letter

Form-based client-initiated SSO form parameter properties password example Form Parameter Properties - Password

Change the parameter name from the default, password (lowercase), to Password (initial capital letter).

Form-based client-initiated SSO form parameters completed window Completed General Properties Definition

The form parameters (Username and Password) that are required for DWA have been defined.

Form-based client-initiated SSO form detection window Form Detection

SSO detects the form by the / URI.

Form-based client-initiated SSO form identification window Form Identification

SSO identifies the form by name, STLoginForm.

Form-based client-initiated SSO successful logon detection window Successful Logon Detection

Logon is successful when the DomAuthSessid cookie is present.

Form-based client-initiated SSO advanced properties window Advanced Properties

The Request Prefix check box (which is checked by default) has been cleared because, for DWA, the form request must match verbatim.

Bugzilla form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Bugzilla.

Table 12. Bugzilla Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name ssov2-bugzilla SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name tform New Form Definition: General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • Bugzilla_login
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • Bugzilla_password
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI / Form Detection
Identify Form by ID Attribute Form Identification
Form ID mini_login_top Form Identification
Detect Logon by Presence of Cookie Successful Logon Detection
Cookie Name Bugzilla_logincookie Successful Logon Detection
Request Prefix Not selected Advanced Properties

Ceridian form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Ceridian.

Settings to configure form-based client-initiated SSO for Ceridian

Table 13. Ceridian Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name ssov2_ceridian SSOv2 Properties
Description sourcetimepro1.ceridian.com SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name auth_form General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • Custom
  • ClientIDInput
  • %{session.logon.last.clientid}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • SerialNumberInput
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • PasswordInput
  • %{session.sso.custom.last.password}
  • Disabled
New Form Parameter
Detect Form by URI Form Detection
Request URI

/

/sta.asp

/ctagw/

/ctagw/sta.asp

Form Detection
Identify Form by Form Parameters Form Identification
Detect Logon by Redirect URI Successful Logon Detection
Redirect URI https://sourcetimepro1.ceridian.com/CTA660/cta.asp?RequestID=* Successful Logon Detection
Request Prefix Not selected Advanced Properties
Injection Method Custom Javascript Injection
Custom Javascript See code below. Javascript Injection
Disable Auto detect submit Selected Advanced Properties > Form Submit Detection
URI

/sta.asp

/ctagw/sta.asp

Form Submit Detection

Custom JavaScript

<script> function checkInternetExplorerVersion() // Returns 'true' if the version of Internet Explorer > 8 { var r = -1; // Return value assumes agreement. if (navigator.appName == 'Microsoft Internet Explorer') { var ua = navigator.userAgent; var re = new RegExp("MSIE ([0-8]{1,}[\.0-9]{0,})"); if (re.exec(ua) != null) r = parseFloat( RegExp.$1 ); } return ( r==-1 ) ? true : false; } if (checkInternetExplorerVersion()) { document.body.style.visibility='hidden'; document.body.style.display='none'; } document.body.onkeydown=function(e){return false;}; function __f5submit() { var __f5form = document.forms[0]; __f5form.SerialNumberInput.value='%{session.sso.token.last.username}'; __f5form.PasswordInput.value='%{session.sso.custom.last.password}'; __f5form.ClientIDInput.value='%{session.logon.last.clientid}'; f_submit(); } if (window.addEventListener) { window.addEventListener('load',__f5submit,false); } else if (window.attachEvent) { window.attachEvent('onload',__f5submit); } else { window.onload=__f5submit; } </script>

Logon Page customization in access policy

Logon Page Agent (field 3):

  • Type: text
  • Post Variable Name: clientid
  • Session Variable Name: clientid

Logon Page Input Field #3: Company ID

Variable Assign definition in access policy

session.sso.custom.last.password = expr { [mcget -secure {session.sso.token.last.password}] }

Citrix 4.5 and 5 form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Citrix 4.5 and 5.

Table 14. Citrix 4.5 and 5 Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name sso_fbv2 SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name testform General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • Custom
  • domain
  • %{session.logon.last.domain}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • user
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • password
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI

/Citrix/AccessPlatform/auth/login.aspx

/Citrix/XenApp/auth/login.aspx

Form Detection
Identify Form by Action ID Form Identification
Form Action login.aspx Form Identification
Detect Logon by Redirect URI Successful Logon Detection
Redirect URI

*/Citrix/XenApp/site/default.aspx

*/Citrix/AccessPlatform/site/default.aspx

Successful Logon Detection

Devcentral form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Devcentral.

Settings to configure form-based client-initiated SSO for Devcentral

Table 15. Devcentral Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name ssov2_devcentral SSOv2 Properties
Description devcentral.f5.com SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name auth_form General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • Custom
  • dnn$ctr1093548$Login$Login_DNN$cmdLogin
  • Login
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • dnn$ctr1093548$Login$Login_DNN$txtUsername
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • dnn$ctr1093548$Login$Login_DNN$txtPassword
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI

/Community/Login/tabid/1082224/Default.aspx

/tabid/1082224/Default.aspx

Form Detection
Identify Form by Form Parameters Form Identification
Detect Logon by Cookie Successful Logon Detection
Cookie Name authentication Successful Logon Detection
Injection Method Extra Javascript Injection
Extra Javascript See code below. Javascript Injection

Extra Javascript

WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions("dnn$ctr1093548$Login$Login_DNN$cmdLogin", "", true, "", "", false, false)); __f5form.enctype = 'application/x-www-form-urlencoded'; __f5form.encoding = 'application/x-www-form-urlencoded';

Google form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Google.

Settings to configure form-based client-initiated SSO for Google

Table 16. Google Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name ssov2_google SSOv2 Properties
Description accounts.google.com SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name form_auth General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • Email
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • Passwd
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI /ServiceLogin Form Detection
Identify Form by Form Parameters Form Identification
Detect Logon by Cookie Successful Logon Detection
Cookie Name SID Successful Logon Detection
Note: For Internet Explorer 7 (and 8), disable the advanced setting "Display a notification about every script error".

Oracle Application Server form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Oracle 10g Release 2 (10.1.2).

Table 17. Oracle Application Server 10g Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name ssov2_oracle SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name tform General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • ssousername
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • password
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI /sso/pages/login.jsp?site2pstoretoken=v1.2 Form Detection
Identify Form by Form Parameters Form Identification
Detect Logon by Cookie Successful Logon Detection
Cookie Name SSO_ID Successful Logon Detection

OWA 2010 and 2007 form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Outlook Web App (OWA) 2010 and OWA 2007.

Table 18. OWA 2010 and OWA 2007 Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name ssov2-owa SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name tform General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • username
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • password
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI

/owa/auth/logon.aspx?replaceCurrent=1&url=

/owa/auth/logon.aspx?url=

Form Detection
Identify Form by Form Parameters Form Identification
Detect Logon by Presence of Cookie Successful Logon Detection
Cookie Name sessionid Successful Logon Detection
Injection Method Extra Javascript Injection
Extra Javascript clkLgn() Javascript Injection

OWA 2003 form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Outlook Web App (OWA) 2003.

Table 19. OWA 2003 Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name ssov2-owa2003 SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name tform2003 General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • username
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • password
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI /exchweb/bin/auth/owalogon.asp?url=https://ata.bldg12.grpy.company.com/exchange/&reason=0 Form Detection
Identify Form by Form Parameters Form Identification
Detect Logon by Presence of Cookie Successful Logon Detection
Cookie Name sessionid Successful Logon Detection

Perforce form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Perforce.

Table 20. Perforce Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name perforce-sso SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name p4 General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • u
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • p
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI /p4web Form Detection
Identify Form by Form Parameters Form Identification
Detect Logon by Presence of Cookie Successful Logon Detection
Cookie Name P4W8080 Successful Logon Detection
Request Prefix Not selected Advanced Properties

Reviewboard form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Reviewboard.

Table 21. Reviewboard Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name reviewboard-sso SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name rb_logon General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • username
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • password
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI /account/login Form Detection
Identify Form by Form Parameters Form Identification
Detect Logon by Redirect URI Successful Logon Detection
Redirect URI */dashboard Successful Logon Detection
Request Prefix Not selected Advanced Properties

SAP form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for SAP.

Table 22. SAP Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name ssov2_sap SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name tform General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • j_user
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • j_password
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
  • Parameter Type
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • Custom
  • uidPasswordLogon
  • Log On
  • Not enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI /irj/portal Form Detection
Identify Form by Form Parameters Form Identification
Detect Logon by Presence of Cookie Successful Logon Detection
Cookie Name MYSAPSSOV2 Successful Logon Detection
Request Prefix Not selected Advanced Properties

Salesforce form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Salesforce.

Settings to configure form-based client-initiated SSO for Salesforce

Table 23. Salesforce Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name ssov2_salesforce SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name auth_form General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • username
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • pw
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI / Form Detection
Identify Form by Form Parameters Form Identification
Detect Logon by Cookie Successful Logon Detection
Cookie Name inst Successful Logon Detection
Injection Method Custom Javascript Injection
Custom Javascript See code below. Javascript Injection

Custom Javascript

<script> function checkInternetExplorerVersion() // Returns 'true' if the version of Internet Explorer > 8 { var r = -1; // Return value assumes agreement. if (navigator.appName == 'Microsoft Internet Explorer') { var ua = navigator.userAgent; var re = new RegExp("MSIE ([0-8]{1,}[\.0-9]{0,})"); if (re.exec(ua) != null) r = parseFloat( RegExp.$1 ); } return ( r==-1 ) ? true : false; } if (checkInternetExplorerVersion()) { document.body.style.visibility='hidden'; document.body.style.display='none'; } document.body.onkeydown=function(e){return false;}; function __f5submit() { var __f5form = document.forms[0]; __f5form.username.value='%{session.sso.token.last.username}'; __f5form.password.value='f5-sso-token'; ; var __f5action = __f5form.action; var __f5qsep = (__f5action.indexOf('?') == -1) ? '?' : '&'; __f5form.action = __f5action + __f5qsep + 'f5-sso-form=auth_form'; __f5form.Login.click(); } if (window.addEventListener) { window.addEventListener('load',__f5submit,false); } else if (window.attachEvent) { window.attachEvent('onload',__f5submit); } else { window.onload=__f5submit; } </script>

Sharepoint 2010 form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Sharepoint.

Table 24. Sharepoint Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name ssov2_shp2010 SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name form_auth General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • ctl00$PlaceHolderMain$signInControl$UserName
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • ctl00$PlaceHolderMain$signInControl$password
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
  • Parameter Type
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • Custom
  • ctl00$PlaceHolderMain$signInControl$login
  • Sign In
  • Enabled
New Form Parameter
Detect Form by URI Form Detection
Request URI /_forms/default.aspx?ReturnUrl= Form Detection
Identify Form by Form Parameters Form Identification
Detect Logon by Cookie Successful Logon Detection
Cookie Name FedAuth Successful Logon Detection

Weblogin form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for weblogin.

Table 25. Weblogin Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name ssov2-weblogin SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name tform General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • user
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
  • Parameter Type
  • Password Parameter Name
  • Password Parameter Value
  • Secure
  • Password
  • pass
  • %{session.sso.token.last.password}
  • Enabled (Default)
New Form Parameter
  • Parameter Type
  • Form Parameter Name
  • Form Parameter Value
  • Secure
  • Custom
  • submit_form
  • Submit
  • Not enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI /sso/login.php?redir= Form Detection
Identify Form by Name Attribute Form Identification
Form Name theForm Form Identification
Detect Logon by Cookie Successful Logon Detection
Cookie Name issosession Successful Logon Detection

Yahoo form-based client-initiated SSO example

This example shows how to create a form-based client-initiated SSO configuration for Yahoo.

Settings to configure form-based client-initiated SSO for Yahoo

Table 26. Yahoo Configuration Example
User Interface Field Sample Value Navigation Notes
SSO Configuration Name sso_yahoo SSOv2 Properties
Description login.yahoo.com SSOv2 Properties
Forms in this SSO Configuration table   SSOv2 Properties > Create > New Form Definition
Form Name form_login General Properties
Form Parameters table   General Properties > Create > New Form Parameter
  • Parameter Type
  • Username Parameter Name
  • Username Parameter Value
  • Secure
  • Username
  • login
  • %{session.sso.token.last.username}
  • Not enabled (Default)
New Form Parameter
Detect Form by URI Form Detection
Request URI / Form Detection
Identify Form by ID Attribute Form Identification
Form ID login_form Form Identification
Detect Logon by Cookie Successful Logon Detection
Cookie Name PH Successful Logon Detection
Injection Method Custom Javascript Injection
Custom Javascript See example custom Javascript below. Javascript Injection
Disable Auto detect submit Selected Advanced Properties > Form Submit Detection
Javascript /config/login Form Submit Detection

Custom Javascript

<script> //Logon page will not be hidden in IE7/8. //This is workaround for the problem with JS method .focus() //"Can't move focus to the control because it is invisible, not enabled, or of a type that does not accept the focus." function checkInternetExplorerVersion() // Returns 'true' if the version of Internet Explorer > 8 { var r = -1; // Return value assumes agreement. if (navigator.appName == 'Microsoft Internet Explorer') { var ua = navigator.userAgent; var re = new RegExp("MSIE ([0-8]{1,}[\.0-9]{0,})"); if (re.exec(ua) != null) r = parseFloat( RegExp.$1 ); } return ( r==-1 ) ? true : false; } if (checkInternetExplorerVersion()) { document.body.style.visibility='hidden'; var inter = setInterval(function () { var err = document.getElementsByClassName('yregertxt')[0]; var wcl = document.getElementById('captcha_c'); if (err) { document.body.style.visibility = 'visible'; clearInterval(inter); } if (wcl) { if ( wcl.style.visibility == 'hidden') { document.body.style.visibility = 'visible'; clearInterval(inter); } } }, 1000); }; function __f5submit() { var adv = document.getElementById('adFrame'); if (adv) adv.style.visibility='hidden'; var __f5form = document.forms[0]; if (__f5form.login) __f5form.login.value='%{session.sso.token.last.username}'; __f5form.passwd.value='%{session.sso.custom.last.password}'; __f5form[".save"].click(); } if (window.addEventListener) { window.addEventListener('load',__f5submit,false); } else if (window.attachEvent) { window.attachEvent('onload',__f5submit); } else { window.onload=__f5submit; } </script>

Variable Assign definition used in access policy

session.sso.custom.last.password = expr { [mcget -secure {session.sso.token.last.password}] }
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)