SungHoon_Kim

Configuring an ALL-IN-ONE VM Image - Part 4

Blog Post created by SungHoon_Kim Employee on Jan 29, 2016

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

 

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

 

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

     - Startup/Shutdown scripts

     - Logging

     - Basic Concepts

02. Standard Authentication Schemes

     - Basic Concepts

     - Basic

     - HTML Forms

     - HTML using UID and EMAIL

     - Basic over SSL

03. Certificate Authentication Schemes

     - X.509 Certificate Only

     - X.509 Certificate or Basic

     - X.509 Certificate and Basic

     - X.509 Certificate or Form

     - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

Continued from Part 3.

 

02. Standard Authentication Schemes

     - HTML using UID and EMAIL


This is a demonstration on how to add complexity to the login form by adding additional attribute value for authentication.

 

How to Configure HTML Forms Authentication

The use case is described in the online documentation so you can reference it as well.

Also, if you check the <WA>/samples/forms/fullname.fcc it is same use case except it is adding "Full Name" instead of "eMail".

 

Step1: Create loginemail.fcc and loginemail.unauth file

 

Goto "<WA>/samples/forms/" folder and make a copy of login.fcc file (we can copy the fullname.fcc but for demonstration purpose I am choosing vanila login.fcc file) to loginemail.fcc.

Every .fcc file must have matching .unauth file so copy login.unauth to loginemail.unauth file.

 

Modify the loginemail.fcc file as below.

login.fcc (original)

<!-- SiteMinder Encoding=UTF-8; -->

@username=%USER%

@smretries=0

 

<html>

 

<head>

<meta http-equiv="Content-Type" content="text/html;charset=$$SMENC$$">

  <title>SiteMinder Password Services</title>

 

<!-- Cross-frame scripting prevention: This code will prevent this page from being encapsulated within HTML frames. Remove, or comment out, this code if the functionality that is contained in this SiteMinder page is to be included within HTML frames. -->

<STYLE>

   html {

      display : none ;

      visibility : hidden;

   } </STYLE>

<SCRIPT>

   if( self == top ) {

       document.documentElement.style.display = 'block' ;

       document.documentElement.style.visibility = 'visible' ;

   } else {

       top.location = self.location ;

   }

</SCRIPT>

 

 

 

<SCRIPT LANGUAGE="JavaScript">

function resetCredFields()

{

  document.Login.PASSWORD.value = "";

}

 

function submitForm()

{

     document.Login.submit();

}

 

</SCRIPT>

 

</head>

 

<body BGCOLOR="#ffffff" TEXT="#000000" onLoad = "resetCredFields();">

 

<!-- Customer Brand -->

<IMG alt=Logo src="/siteminderagent/dmspages/CATechnologies_logo.png">

 

<form NAME="Login" METHOD="POST">

<INPUT TYPE=HIDDEN NAME="SMENC" VALUE="$$SMENC$$">

<INPUT type=HIDDEN name="SMLOCALE" value="US-EN">

<center>

 

<!-- outer table with border -->

<table width="50%" height=200 border=1 cellpadding=0 cellspacing=0 >

  <tr>

    <td>

      <!-- Login table -->

      <table WIDTH="100%" HEIGHT=200 BGCOLOR="#FFEFD5" border=0 cellpadding=0 cellspacing=0 >

 

    <tr>

      <td ALIGN="CENTER" VALIGN="CENTER" HEIGHT=40 COLSPAN=4 NOWRAP BGCOLOR="#FFDAB9">

        <font size="+1" face="Arial,Helvetica">

        <b>Please Login</b></font>

          </td>

    </tr>

 

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

 

    <tr>

      <td WIDTH=20 > </td>

      <td ALIGN="LEFT" >

            <b><font size=-1 face="arial,helvetica" > Username: </font></b>

          </td>

      <td ALIGN="LEFT" >

              <input type="text" name="USER" size="30" style="margin-left: 1px">

          </td>

      <td WIDTH=20 > </td>

    </tr>

 

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

 

    <tr>

      <td WIDTH=20 > </td>

      <td >

            <b><font size=-1 face="arial,helvetica" > Password: </font></b>

          </td>

      <td ALIGN="left" >

              <input type="password" name="PASSWORD" size="30" style="margin-left: 1px">

      </td>

      <td WIDTH=20 > </td>

    </tr>

 

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

 

    <tr>

      <td colspan=4 NOWRAP WIDTH="50%" HEIGHT="25" align="CENTER">

          <input type=hidden name=target value="$$target$$">

          <input type=hidden name=smquerydata value="$$smquerydata$$">

          <input type=hidden name=smauthreason value="$$smauthreason$$">

          <input type=hidden name=smagentname value="$$smagentname$$">

          <input type=hidden name=postpreservationdata value="$$postpreservationdata$$">

          <input type="button" value="Login" onClick="submitForm();">

      </td>

    </tr>

 

    <tr> <td colspan=4 height=5> <font size=1>   </font> </td> </tr>

      </table>

    </td>

  </tr>

</table>

</form></center>

 

<script language="javascript">

  document.forms["Login"].elements["USER"].focus();

</script>

 

</body>

</html>

 

loginemail.fcc (after modification)

<!-- SiteMinder Encoding=UTF-8; -->

@username=%USER%

@password=PASSWORD=%PASSWORD%&mail=%urlencode(email)%

@smretries=0

 

<html>

 

<head>

<meta http-equiv="Content-Type" content="text/html;charset=$$SMENC$$">

  <title>SiteMinder Login Page with UID and EMAIL</title>

 

<!-- Cross-frame scripting prevention: This code will prevent this page from being encapsulated within HTML frames. Remove, or comment out, this code if the functionality that is contained in this SiteMinder page is to be included within HTML frames. -->

<STYLE>

   html {

      display : none ;

      visibility : hidden;

   } </STYLE>

<SCRIPT>

   if( self == top ) {

       document.documentElement.style.display = 'block' ;

       document.documentElement.style.visibility = 'visible' ;

   } else {

       top.location = self.location ;

   }

</SCRIPT>

 

 

 

<SCRIPT LANGUAGE="JavaScript">

function resetCredFields()

{

  document.Login.PASSWORD.value = "";

}

 

function submitForm()

{

     document.Login.submit();

}

 

</SCRIPT>

 

</head>

 

<body BGCOLOR="#ffffff" TEXT="#000000" onLoad = "resetCredFields();">

 

<!-- Customer Brand -->

<IMG alt=Logo src="/siteminderagent/dmspages/CATechnologies_logo.png">

 

<form NAME="Login" METHOD="POST">

<INPUT TYPE=HIDDEN NAME="SMENC" VALUE="$$SMENC$$">

<INPUT type=HIDDEN name="SMLOCALE" value="US-EN">

<center>

 

<!-- outer table with border -->

<table width="50%" height=200 border=1 cellpadding=0 cellspacing=0 >

  <tr>

    <td>

      <!-- Login table -->

      <table WIDTH="100%" HEIGHT=200 BGCOLOR="#FFEFD5" border=0 cellpadding=0 cellspacing=0 >

 

    <tr>

      <td ALIGN="CENTER" VALIGN="CENTER" HEIGHT=40 COLSPAN=4 NOWRAP BGCOLOR="#FFDAB9">

        <font size="+1" face="Arial,Helvetica">

        <b>Please Login</b></font>

          </td>

    </tr>

 

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

 

    <tr>

      <td WIDTH=20 > </td>

      <td ALIGN="LEFT" >

            <b><font size=-1 face="arial,helvetica" > Username: </font></b>

          </td>

      <td ALIGN="LEFT" >

              <input type="text" name="USER" size="30" style="margin-left: 1px">

          </td>

      <td WIDTH=20 > </td>

    </tr>

 

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

    <tr>

      <td WIDTH=20 > </td>

      <td ALIGN="LEFT" >

            <b><font size=-1 face="arial,helvetica" > Email: </font></b>

          </td>

      <td ALIGN="LEFT" >

              <input type="text" name="email" size="30" style="margin-left: 1px">

          </td>

      <td WIDTH=20 > </td>

    </tr>

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

 

    <tr>

      <td WIDTH=20 > </td>

      <td >

            <b><font size=-1 face="arial,helvetica" > Password: </font></b>

          </td>

      <td ALIGN="left" >

              <input type="password" name="PASSWORD" size="30" style="margin-left: 1px">

      </td>

      <td WIDTH=20 > </td>

    </tr>

 

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

 

    <tr>

      <td colspan=4 NOWRAP WIDTH="50%" HEIGHT="25" align="CENTER">

          <input type=hidden name=target value="$$target$$">

          <input type=hidden name=smquerydata value="$$smquerydata$$">

          <input type=hidden name=smauthreason value="$$smauthreason$$">

          <input type=hidden name=smagentname value="$$smagentname$$">

          <input type=hidden name=postpreservationdata value="$$postpreservationdata$$">

          <input type="button" value="Login" onClick="submitForm();">

      </td>

    </tr>

 

    <tr> <td colspan=4 height=5> <font size=1>   </font> </td> </tr>

      </table>

    </td>

  </tr>

</table>

</form></center>

 

<script language="javascript">

  document.forms["Login"].elements["USER"].focus();

</script>

 

</body>

</html>

 

At the loginemail.fcc, you will find that we have entered a whole new line below.

@password=PASSWORD=%PASSWORD%&<attributename>=%<form name>%

If you are adding additional attribute for authentication, then you will have to add the @password=PASSWORD=%PASSWORD% first.

Then append the additional attribute(s) starting with a separator ampersand, the userattribute name(mail attribute) in the user directory to be matched, an equal sign and the FORM name (in this case the <input type="text" name="email">).

You can add more attributes this way.

 

Things to note, if you are not using additional attributes, you can just delete the @password line.

Even if you delete it, it is there by default.

If the additional attribute or the password is expected to have values that might need encoding (for example, it has an ampersand making it look like another additional attribute, here is a full list ==> (" . & = + ? ; / : @ = , $ %)) then you can URL encode it as below.

@password=PASSWORD=PASSWORD%&mail=%urlencode(email)%

 

Following is a screenshot of the files create. You do not need to do anything with the loginemail.unauth file.

unauth file will be displayed if you set @smretry=3 and if you fail to submit the correct credential 3 consecutive times.

It is always a good practice to have the matching unauth file.

 

 

Step2: Create Authentication Scheme

 

Logon to AdminUI, navigate to "Infrastructure ==> Authentication ==> Authentication Schemes" and click "Create Authentication Scheme".

 

Select "Create a new object of type Authentication Scheme" and click "OK".

 

Fill in the fields as below.

Ensure that you update the TARGET to point to the loginemail.fcc

And the important part is the "Additional Attribute List".

You must enter the AL=PASSWORD first, a comma then followed by the additional attributes you specified. (AL stands for "Attribute List").

 

Step3: Create Realm, Rule, update Policy

 

Navigate to "Policies ==> Application ==> Applications" and modify(click on the pencil icon at the right end) "www.sso.lab" application.

 

Click on "Create Component".

 

Fill in the details as below and click "OK".

We are protecting /mail/ with the "UID + EMAIL Login Form" Authentication Scheme.

 

 

Click on "Resources" tab and from the "context root" dropdown menu select "/mail/".

Click on "Create" button to create a resource for this component.

 

Fill in the details.

This will allow GET and POST requests for everything under /mail/ if the user is authorized by Policy Server.

 

 

 

Click on "Policy" tab and from the "context root" dropdown menu select "/mail/".

 

Select the "Access UID + Mail Realm" + "Basic Role" check box to apply this "Basic Role" to "Access UID + Mail Realm".

Then click "Submit"

 

 

Then click "Submit" to finalize.

 

Step4: Test login.

 

Before we test login, we have to check the email value for the test user.

Let's create "user1" with "user1@sso.lab" email address.

 

Your web server should have the matching resource created.

And also handy to have the landing page to have a link to the /mail/ resource.

 

And the user get access.

 

smtracedefault.log showing it is handling the mail attribute during authentication.

[01/28/2016][13:48:01][user1][Authenticating user by the auth scheme][LDAP://192.168.201.101 192.168.201.102/CN=user1,CN=Users,DC=sso,DC=lab][][][][][][][][2656][4264]

[01/28/2016][13:48:01][][Processing Attribute [Property = mail] [Trim Property = mail] [Separator = ^]][][][][][][][][][2656][4264]

[01/28/2016][13:48:01][][Registered for XPS notifications for Realm objects modifications.][][][][][][][][][2656][4264]

[01/28/2016][13:48:01][][Failed to get the Realm's SessionAssuranceLink attribute.][][][][][][][][][2656][4264]

[01/28/2016][13:48:01][][SessionAssurance is not enabled.][][][][][][][][][2656][4264]

[01/28/2016][13:48:01][][SmSamlDataContext::~SmSamlDataContext: Cleaning up][Cleaning up][][][][][][][][2656][4264]

[01/28/2016][13:48:01][user1][** Status: Authenticated. ][][agent.iis][][][][][][][2656][4264]

 

 

     - Basic over SSL

 

"Basic" Authentication Scheme and "Basic over SSL" Authentication Scheme are very different thing although they are both prompted for Basic authentication.

 

And as a prerequisite, your web server must have SSL configured, obviously as the name suggests.

I will swiftly go through requesting and issuing server certificates

 

*** Enable SSL on IIS ***

 

# www.sso.lab

 

Load the IIS Manager and at the machine level(left pane) select "Server Certificate"(mid pane).

 

You will see the currently available certificates.

At the right pane, click on "Create Certificate Request..."

 

Enter the fields.

You MUST add the correct FQHN in the "Common name" field.

This certificate request is for https://www.sso.lab so I am entering www.sso.lab

 

Select the desired bit length, 1024 by default.

 

Save the Certificate Sign Request(C:\Users\Administrator\Desktop\www_sso_lab_req.txt)

 

Open IE and goto http://www.sso.lab/certsrv/

 

Click on "Request a certificate"

 

Click on "advanced certificate request"

 

Click on "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file...."

 

Paste "www_sso_lab_req.txt" content to the "Saved Request" field.

Select "Web Server" from "Certificate Template" dropdown menu.

 

Select "Base 64 encoded" (doesn't really matter which format you download at this point) and click "Download certificate".

Click "Save As" and save it as "www_sso_lab.cer" on the desktop.

 

 

Go back to IIS Manager screen where you clicked "Create Certificate Request".

This time, click "Complete Certificate Request...".

 

Select the issued certificate and enter a friendly name that will appear in the certificate list.

 

You can now see the new certificate is added to the list.

 

Your Server Certificate is ready to be applied to a web server instance.

Select "Default Web Site" instance(left pane).

Click on "Bindings" at the right pane.

 

Click "Add..." button.

 

Select type: https

IP address: 192.168.201.101 (as DNS this will resolve www.sso.lab to this IP)

Port: 443

SSL Certificate: Select from dropdown menu the friendly name www.sso.lab

 

Now your web instance is configured to listen on port 80 and 443.

 

You should now see at the right pane the new configuration showing it is listening on port 443.

 

Now, open a browser and visit https://www.sso.lab and it should display the content.

 

# www.partner.lab

Repeat the steps above, just change the "Common name" to "www.partner.lab".

This certificate will be used on the CA Access Gateway(SPS).

I will cover this part later when we are using CA Access Gateway(SPS) in the future.

It should look like below screenshot once the www.partner.lab certificate is imported.

 

Now that SSL is enabled on this IIS server, we can continue with setting up the "Basic over SSL".

 

Step1: Configure the IIS side setting to force Basic over SSL.

 

Load IIS Manager, select the "Default Web Site" instance and navigate to "/siteminderagent/nocert" virtual directory.

 

 

In the mid pane, click on "SSL Settings".

You need to check the "Require SSL" and select "Ignore" client certificate.

 

Click "Apply" button at the right pane to complete this change.

 

 

Step2: Configure "Basic over SSL" Authentication Scheme

 

I will be skipping some basic screens as it has been demonstrated before.

 

Create Authentication Scheme:

Name: Basic over SSL Authentication

Authentication Scheme Type: Basic Over SSL Template

Protection Level: 10

Password Policies enabled for this Authentication Scheme: true

Server Name: www.sso.lab

Port: (can leave it empty since I am using default port 443)

Target: /siteminderagent/nocert/smgetcred.scc

Library: smauthcert

 

Step3: Create Component and Resource to protect the /basicssl/

Modify "www.sso.lab" Application and click "Create Component".

 

Component Name: Basic over SSL Realm

Agent: agent.iis

Resource Filter: /basicssl/

Default Resource Protection: Protected

Authentication Scheme: Basic over SSL Authentication

 

Create Resource

Name: Access BasicSSL

Resource: *

Allow Access: true

Action/Web Agent Actions: GET, POST

 

 

Update Policy to allow "Basic Role" for "Access BasicSSL".

 

Step5: Test the Basic over SSL.

You must ensure your web server has /basicssl/ directory and content to display.

Visit http://www.sso.lab/basicssl/

You are now being redirected to https://www.sso.lab/siteminderagent/nocert/* and get challenged there.

You can tell this is SiteMinder authentication because it shows you the Component(Realm) Name and also there is a timestamp of this challenge.

Now, there is a difference between Basic vs Basic over SSL.

If it was "Basic" authentication then there is NO REDIRECT.

Now with "Basic over SSL", you are redirected.

 

Once authenticated you will be redirected back to the initially requested URL.

 

Now that we have SSL enabled on the Web Server, we should change the HTML Authentication Schemes to make use of it.

Please modify the "Login Form for www.sso.lab" and "UID + EMAIL Login Form" Authentication Scheme to enable "Use SSL Connection" check box.

No credential should be transmitted in clear.

 

 

In the next article, we will be setting up Certificate Authentication. It is exciting!

 

This concludes "Configuring an ALL-IN-ONE VM Image - Part 4"

Outcomes