Recently I was called to assist with an interesting SSO customization for UAG.

The requirments are as follows:

1. Add a new input field named "Code" to the default login page.
2. Add a second new input field named "Suffix", of type drop box to be used as username suffix.
3. Collect and process the inputs during authentication process.  Here the requirement was to use "suffix+username" for username and "password" as password for authentication.
4. Process the inputs (revert back to the original valuv class="content-fragment-content">

   Advanced SSO with UAG

   Recently I was called to assist with ae of username) to support SSO.  Here the requirement was to send the original username + password + code to the backend application's FBA to achieve SSO.

5. In addition, the whole solution needs to work with One Time Password / SMS solution (Radius with challenge-response).

The end result should resemble the below UAG portal login page:



Published Application's Form Based Authentication page:



Step #1

• Publish the web applciation in a portal

Step #2

   
• Create a copy of the default login.asp and place it in /InternalSite/CustomUpdate/Trunk1newLogin.asp

• Add the new input fields to the Trunk1newLogin.asp

a. Add suffix field to login page

<TR>              <TD class="paramText">Prefix <TD colspan="2"><select class="paramText" TYPE="text" ID="pre_fix" NAME="pre_fix" onkeypress="keyDetect(event)">              <option value="0">0</option>              <option value="1">1</option>              <option value="2">2</option>              <option value="3">3</option>               </select>            </TD> </TR>

b. Add code field to login page

<TD class="paramText">Code</TD> <TD><INPUT class="paramTextbox" TYPE="text" ID="Code_Value" NAME="Code_Value" size="11"></TD>

 

• Point the portal to use the new customized CustomUpdate/Trunk1newLogin.asp    

• Edit the relevant URL Set rule to allow the passing of the new parameters

Step #3

• Process the inputs before authentication process occures by adding the following code to /InternalSite/Inc/Trunk1Validate.inc

 

<% if Session("CredentialsNum") = "" then if g_login_type = RESOURCE_OPERATION_LOGIN and GetSiteFixRepositories() then use_the_same_user_name = GetSiteUseTheSameUserName() repositories = GetSiteRepositoriesVec() i = 1 for each repository_name in repositories Session("repository"&i) = repository_name i = i + 1 next i = 1 for each password in Request("password") Session("password"&i) = password if use_the_same_user_name then Session("user_name"&i) = Request("user_name") end if i = i + 1 next if not use_the_same_user_name then i = 1 for each user_name in Request("user_name") Session("user_name"&i) = user_name i = i + 1 next end if Session("CredentialsNum") = i-1 else Session("repository1") = Request("repository") x1 = Request("user_name") x2 = Request("pre_fix") Session("user_nambr /> i = 1 for each repository_name in repositories Session("repository"&i) = repository_name i = i + 1 next i = 1 for each password in Request("password") Session("password&quoe1") = x2 & x1 Session("password1") = Request("password") Session("CredentialsNum") = 1 end if Session("CurrentCredentialsNum") = 1 end if num = Session("CurrentCredentialsNum") user_name = Session("user_name"&num) password = Session("password"&num) repository = Session("repository"&num) HEAVY_TRACE "CurrentCredentialsNum [" & num & "] CredentialsNum [" & Session("CredentialsNum") & "]" HEAVY_TRACE "Validate got site_name [" & g_site_name & "] secure [" & g_secure & "] orig_url [" & g_orig_url & "] resource_id [" & g_resource_id & "] login_type [" & g_login_type & "] cookie [" & g_cookie & "] repository [" & repository & "] user_name [" & user_name & "]" %>

 

   
• Revert the username manipulation back to its original value for SSO to succeed
• Collect the data and add it to session parameters, by adding the following code to CustomUpdate/Trunk1validatecontinue.inc

Note: if you are using normal username / password authentication this code should be saved in /CustomUpdate/Trunk1postpostvalidate.inc and the code Session("user_name1") = Request("user_name") should be added to begining of InternalSite/Inc/sso.inc

<% Session("user_name1") = Request("user_name") Code_Value = Request("Code_Value") SetSessionResourceParam g_cookie, "B755 Replace with application ID 92A57F824", "txtCode", Code_Value %>

   

 
Step #4

• Map the credentials to their corresponding counterparts in the application's FBA. Looking at the source code of the application's FBA revealed the input field's names.

Place the following code in \Conf\WizardDefaults\FormLogin\CustomUpdate\formlogin.xml

 

<WHLFILTFORMLOGIN ver="1.0">  <APPLICATION>   <APPLICATION_TYPE>App1</APPLICATION_TYPE>   <USAGE description="form_login">   <PRIMARY_HOST_URL><![CDATA[/.*]]></PRIMARY_HOST_URL>   <SECONDARY_HOST_URL><![CDATA[/.*]]></SECONDARY_HOST_URL>   <SCRIPT_NAME source="data_definition">FormLoginSubmitStandard</SCRIPT_NAME>   <USER_AGENT>    <AGENT_TYPE search="group">all_supported</AGENT_TYPE>    <POLICY>multiplatform</POLICY>    <SCRIPT_NAME source="data_definition">FormLoginHandler</SCRIPT_NAME>   </USER_AGENT>   <MULTIPLE_LOGIN>true</MULTIPLE_LOGIN>   <LOGIN_FORM>    <NAME></NAME>    <METHOD>POST</METHOD>    <CONTROL handling="real_value">     <TYPE>USER_PROVIDED</TYPE>     <NAME>txtCode</NAME>     <DEF_VALUE>sitecode</DEF_VALUE>    </CONTROL>    <CONTROL handling="real_value">     <TYPE>USER_NAME</TYPE>     <NAME>txtUserName</NAME>     <DEF_VALUE>siteusr</DEF_VALUE>    </CONTROL>    <CONTROL handling="real_value">     <TYPE>PASSWORD</TYPE>     <NAME>txtPassword</NAME>     <DEF_VALUE>sitepass</DEF_VALUE>    </CONTROL>    <LOGIN_EVALUATOR indicate="failure">     <SEARCH encoding="">ERROR:</SEARCH>     <SEARCH encoding="">credentials supplied were invalid</SEARCH>    </LOGIN_EVALUATOR>   </LOGIN_FORM>   </USAGE>  </APPLICATION> </WHLFILTFORMLOGIN>