Symantec Access Management

vishal-nord:

1. Do I need to put some redirection in Login.fcc to some dummy page which is protected using Windows Authentication Scheme to make communication with IIS for NTLM based authentication/user validation?

When you configure Windows Authentication  Scheme from SiteMinder AdminUI, you will see the TARGET being different from the HTML Authentication Scheme.

Every authentication scheme has its own credential collector and for that reason the target will be different.

You just need to create a Windows Authentication Scheme and you do not need to create any dummy page.

Hi Kim,

Thanks for your response.

Well, here is the detailed description what exactly I would like to implement.
 

Current Setup:
Policy Server Version - R12 SP3
No Cross Domain SSO in place

In current scenario, we are having number of applications(Intranet) protected using SiteMinder policy servers and they all are using the same Form based Auth scheme to enforce Centralized Login page hosted on server managed by us.
Some applications are using Active Directory as a Authentication directory while others using OID. Flow is something like, user access a protected resource and redirected to login.jsp page hosted on centralized server that we have. Then user enters credentials and submits it. The credentials then posted to login.fcc page on centralized server and user is authenticated & authorized. After which user is redirected to the initially requested application page.

Requirement:
Whenever user logged into PC with his AD credentials and opens a IWA enabled browser, he accesses SM protected applications(With Form based authentication). User should not be asked for login again with the help of IWA. Now here, I don’t want to change the Form based authentication scheme with Windows Authentication for any of the protected application and still wants to achieve IWA. Simply, what I want is to keep the current setup as it is (application
resources protected with Form Based Authentication) and achieve the IWA. I don’t want applications resource to be protected using the IWA Windows Authentication scheme.

Can you please let me know the OOB solution for this?

I was thinking of doing it in following way although not sure whether it will work
- Deploy some dummy pages protected with Windows Authentication Scheme
- Browser with IWA enabled settings
- Put redirection in Login.fcc to dummy page which is protected using Windows Authentication Scheme to make communication with IIS for NTLM based authentication/user validation
- Once IWA is achieved, dummy page should redirect user to initially requested page.[Still not sure, how this can be done]

Clarification Required on below points:
1. All users currently logs in with 4 digit ID(Say login ID) and password which AD stores, while the form based authentication scheme protecting all the applications prompts user for Employee ID/samaccountname which is stored in either AD Or OID. Will there be any issue likely to occur in this case ?

2. As mentioned some applications are using OID as Auth directory and some are using AD, so what should be done in such scenario as all PC's are part of the AD domain and using AD credentials to log in. How the applications
protected by Form Based Authentication scheme with OID as authentication directory will behave when we have IWA in place which talks with AD?

3. User should be redirected to Form Based Login page in case of Kerberos Ticket/NTLM Authentication fails. How this can be achieved ?

Appreciate your earliest help in this

Regards,
Vishal

Hi,

Can anyone help here ?

Regards,

Vishal

Hi Vishal,

there's a few IWA with Forms Fall Back methods.

Hi Vishal,

I am not sure whether you are able to solve this issue or not.

I had worked for solution for similar setup. AD and LDAP as user directories
and most of applications use form authentication.

For seamless authentication with IWA and applications with LDAP user
directories.

You need to protect new IIS resource with IWA authentication and configure
LDAP as user directroy (instead of AD).

But catch here is you need synch user id and password between AD and LDAP. So
SAMaccountname in AD is same as uid in LDAP.

So that IWA authentication scheme can search user in LDAP also by using
credentials passed from windows machine.

Regarding no change to Authentication scheme for most of your applications
which are using form based.

You may have to put redirection in your login page code(form html URL) and redirect
to IWA authentication scheme URL with target as IWA resource.

In IWA resource again have logic to redirect to origin TARGET URls.

This would be lot of customization. But feasible. And also you would be
using IWA auth scheme against LDAP.

LDAP and AD users are synched in such way that user id and passwords match..

Regards,

Srinivas Meganath, CISSP.

Srinivas,

are you talking about splitting Authentication to AD and Authorization to LDAP via a common unique Identifier?

Just want to be sure as it seems that is what you are talking about.

-Josh

Hi Josh,

No, I have not splitted Authentication to AD and Authorization to LDAP.

  In our case AD and LDAP user id and passwords are synched.

So i used LDAP expression in IWA NTLM authentication scheme.

(&(objectclass=***)(uid=%{UID}))

Now Authentication and authorization is against LDAP and seamless SSO works
fro this IWA enabled application to other LDAP user directory and form based authentication
scheme application. As long as protection level is same.

I hope i answered your question.

Regards,

Srinivas.

Srinivas,

thank you for the answer. that's an interesting approach.

I'll have to remember it for the future.

-Josh

Vishal,

Are you still looking for assistance with the SiteMinder IWA auth scheme and/or implementation?

I have been customizing our IWA implementation for 7 years and may be able to help.

Mike

Mike,

I have been working with the IWA/forms authentication solution that CA services provided. It works great for standard agents, but leave a lot to be desired for federation. Have you done any customization for working with federation requests? I have done some, but new scenarios keep cropping up (SP initiated, IDP initiated, RelayState in URL, Encrypted assertions, hypens and spaces in unexpected places from some SPs, etc...), and it has turned into a hefty amount of Java script. I was wondering if you have worked on this, and maybe have a more elegent solution. If I could get the federation service to input a referer header (internal only of course, and only do a specific resource if possible) this task would be very simple.

Also, this feature really needs to be included in a CA release.

Thanks,

Brian

IWA really only works when the end user is logged into Active Directory.  For us, that means intranet use.  Federation for us is internet, so IWA really doesn't apply.

The only use case I can think of is an intranet user accessing Federation as a IDP.  The user can IWA auth, access Federation, then Federate to an outside SP.

If the cookie domains for intranet and internet are different, then somewhere along the line, Cookie Provider (CP)  will be needed.  CP can be enabled on the IWA web agent or the Federation web agent.

Thanks for the info. Your architecture prevents you from running into the same scenario that I am facing. Sounds like you are using a portal model for federartion where we are usingdirect links.

The issue i'm running into is not cookie related. It has to do with how the federation service manipulates the URLs; it's a combination of URI encoding and delimiting with "-". The difficult part is that it selectively applies these changes to each individual section of the query string. Everything they CA puts in, I have to parse out.