Topic
  • 2 replies
  • Latest Post - ‏2019-05-21T09:28:17Z by mloor
mloor
mloor
3 Posts

Pinned topic Getting forms SSO to work

‏2019-05-14T15:13:07Z |

I am trying to get forms SSO to work on an external site:

 

https://start.exactonline.nl/docs/Login.aspx

 

I have created the junction, imported the SSL certificate and created the FSSO configuration as follows:

[forms-sso-login-pages]

login-page-stanza = exactonline
login-credential-learning = no

[exactonline]
login-page = /docs/Login.aspx*
login-form-action = ./Login.aspx?ReturnUrl=%2fdocs%2fMenuPortal.aspx
gso-resource = exactonline
argument-stanza = exactonline-args

[exactonline-args]
LoginForm$UserName = gso:username
LoginForm$Password = gso:password

 

When I browse to the https://isamproxy/exactonline junction the login for the external site shows and the username and password as configured at the users GSO Credentials filled in. However when I press submit I get the following error:

Server Error

Access Manager WebSEAL could not complete your request due to an unexpected error.

Diagnostic Information

Method: POST

URL: /exactonline/docs/Login.aspx?ReturnUrl=%2fdocs%2fMenuPortal.aspx

Error Code: 0x38cf07e0

Error Text: DPWWA2016E No HTML form for single-sign-on was found.

 

I have tried modifying the login-form-action but I think it might be caused by the ISAM getting confused about the fact the login page URI is the same as the form-action. This is however something that cannot be changed.

 

Since I am just starting out with FSSO I might be missing something. Does anyone have a suggestion?

 

Best regards,

Maarten Loor

  • IAM.Jon
    IAM.Jon
    13 Posts

    Re: Getting forms SSO to work

    ‏2019-05-20T08:35:01Z  

    Hi Maarten,

     

    First of all, may I suggest that you join us all over on the new IBM Security Community.  We have an IAM Group there with a discussion forum which is more active than this older one.  There was a Forms-based SSO conversation not so long ago which looks quite similar to this.  URL is: https://ibm.biz/iamcommunity.

     

    Looking at the error message, it does look as though the FSSO function is matching on the POST to the login page as another login page and complaining that this doesn't include a login form.

    One thing I have done successfully in the past is to modify the Login.aspx page so that the login action includes a dummy query string to distinguish it from the original login page load.

     

    Something like:

    
    
    strReturnUrl = "?GO=1&ReturnUrl=" + strReturnUrlPage;
    

    Note the addition of GO=1 at the start of the query string.  This is ignored by the login processing but provides a difference between initial login page load and the POST response URL.

     

    Now  you can use the following in the FSSO config:

    [login-page-one]
    login-page = /docs/Login.aspx?Return*
    login-form-action = *Login.aspx*

     

    I hope this helps and hope to see you over on the IAM Community.

     

    Cheers... Jon.

  • mloor
    mloor
    3 Posts

    Re: Getting forms SSO to work

    ‏2019-05-21T09:28:17Z  
    • IAM.Jon
    • ‏2019-05-20T08:35:01Z

    Hi Maarten,

     

    First of all, may I suggest that you join us all over on the new IBM Security Community.  We have an IAM Group there with a discussion forum which is more active than this older one.  There was a Forms-based SSO conversation not so long ago which looks quite similar to this.  URL is: https://ibm.biz/iamcommunity.

     

    Looking at the error message, it does look as though the FSSO function is matching on the POST to the login page as another login page and complaining that this doesn't include a login form.

    One thing I have done successfully in the past is to modify the Login.aspx page so that the login action includes a dummy query string to distinguish it from the original login page load.

     

    Something like:

    <pre dir="ltr"> strReturnUrl = "?GO=1&ReturnUrl=" + strReturnUrlPage; </pre>

    Note the addition of GO=1 at the start of the query string.  This is ignored by the login processing but provides a difference between initial login page load and the POST response URL.

     

    Now  you can use the following in the FSSO config:

    [login-page-one]
    login-page = /docs/Login.aspx?Return*
    login-form-action = *Login.aspx*

     

    I hope this helps and hope to see you over on the IAM Community.

     

    Cheers... Jon.

    Hello Jon,

     

    Thanks for you answer. I will join the new forum. Since the topic has already started here, I think it is better to have the reply here.

     

    The service I am calling is SaaS and cannot be changed. The piece of code:

    strReturnUrl = "?GO=1&ReturnUrl=" + strReturnUrlPage;


    Is this something that I can do on the ISAM as well? Or are you relying on the SaaS solution to filter out the GO parameter?

     

    There is a 2FA from the SaaS directly after the login, I think what is happening that the SaaS is showing the Login.aspx again for the 2FA challenge directly after the successful login, but the Login.aspx presenting the challenge is not having a username/password field. Somehow, ISAM is automatically processing the form as Login page.

     

    I have tried adding the GO=1 parameter on the SaaS site without actually going through the ISAM junction. This seems to work without ISAM but if I use the reverse proxy, it immediately throws the DPWWA2016E  error.