Symantec Access Management

  • 1.  Custom Form Based Authentication (Layer7)

    Posted Jan 25, 2018 03:35 PM
      |   view attached

    Hello All,

     

    So I'm new to the CA community, and kinda new to working with the Layer7. Ran into a little bit of a problem with authenticating users. My layer7 policy uses "Require HTTP Basic Credentials" assertion to verify the user's access to the URI by checking against the "Identity Provider". I was however told this will not work because basic auth is disabled on the browser and thus the authentication pop-up will never come up. I was thinking of using a Form-Based Authentication to have the user verify, but I can't think of how I will implement this on the Layer7. Any suggestion will help, thanks!

     

    This is what I've so far, but "Require HTTP Basic Credentials" assertion will not work.

    Attachment(s)

    zip
    Auth_Template.xml.zip   3 KB 1 version


  • 2.  Re: Custom Form Based Authentication (Layer7)

    Posted Jan 29, 2018 07:52 AM

    Are you trying to do user authentication for a API, or for a browser based application?  APIM (Layer7) is our API management tool, CA Single Sign-On is our tool for browser based user authentication and authorization.   Your note indicated it was within the browser so you may not be using the correct tool.   CA SSO can setup a forms based authentication which you can customize to your look and feel and send that to the browser when users have to authenticate.   It also offers numerous other ways to login such as windows authentication, kerberos, certificates, SAML, Oauth2, and basic authentication.

     

    We are seeing both solutions used together for browser based applications that make REST calls.   (Single page apps) SSO authenticates the browser to the app, and then can generate an OIDC token that can be sent on the API requests that go to the APIM server.



  • 3.  Re: Custom Form Based Authentication (Layer7)

    Posted Jan 29, 2018 12:50 PM

    We are having users authenticate for browser based applications. The basic auth did what we needed, it asked users to verify their credentials before they are able to access, but unfortunately the clients don't have http basic auth enabled on their chrome, so we have to find an alternative method.



  • 4.  Re: Custom Form Based Authentication (Layer7)

    Posted Jan 29, 2018 10:48 AM

    If you're not using CA SSO for the authentication of the user, have you tried the Require XPath credentials instead of basic? That lets you pull username+pass out of a POST body.

     

    You'd need the front-end form of course to harvest the creds and POST them of course.



  • 5.  Re: Custom Form Based Authentication (Layer7)

    Posted Jan 29, 2018 12:44 PM

    I've not tried a XPath Cred as I don't have experience using it. The HTTP basic auth was simple, but unfortunately will not work for my case.  Will I be able to use the identity provider with XPATH to verify? Thanks again for replying.



  • 6.  Re: Custom Form Based Authentication (Layer7)

    Posted Jan 29, 2018 01:00 PM

    So far as I know it should. I've not done it to an internal IDP before (I send it to CA SSO), but should work to internal based on docs/samples.

     

    The one from Stephen Hughes here is what I used to get started - Custom HTTP Authorization Header 

     

    For CA SSO the basic steps here - How to expose REST services to support Siteminder authentication & authorization  ?   Logic should be similar I'd imagine just switch out to authenticate to internal identity provider.

     

    But just remember you'd need to have that log in form somewhere to actually do the credential POST and all that. With basic the creds are sent with each request, with a form POST it won't so you have to use something like session cookie (which CA SSO would give you).



  • 7.  Re: Custom Form Based Authentication (Layer7)

    Posted Feb 08, 2018 03:53 PM

    Thanks for the guidance.  The tips helped