Symantec Access Management

 View Only
  • 1.  IWA Fallback to Forms on Access Gateway - Browser Pop-up

    Posted Aug 18, 2020 08:24 PM
    Hi,

    I am using the Authentication Chain feature in Single Sign On 12.8 to implement integrated windows authentication (IWA) through Access Gateway, with fallback to HTML forms login. When IWA fails, the fallback feature is not fully working- users are getting prompted with a browser pop-up to enter their credentials instead of going to the HTML form secondary authentication scheme. 

    Has anyone implemented the fallback in a way that avoids the browser pop-up?

    Also, we are currently using a Windows Authentication scheme as the method for IWA and are thinking of trying Kerberos instead - does anyone know if using Kerberos bypasses the browser pop-up and sends users directly to the form?

    Thank you


  • 2.  RE: IWA Fallback to Forms on Access Gateway - Browser Pop-up

    Broadcom Employee
    Posted Aug 19, 2020 02:28 AM
    Hi Michael,

    When implementing IWA fallback to Form feature, you need to consider :

    - Insure that the browsers are configured properly to trust the URLs
    and for automatic login;

    - Insure CA Access Gateway (SPS) and Policy Server are the same level
    in 12.8;

    - Only implement IWA or Kerberos Authentication Scheme, not both at
    the same time;

    Further notes on this :

    Authentication Chain with IWA Authentication Scheme Fallback to Form not happening PCs outside company domain
    https://knowledge.broadcom.com/external/article?articleId=108650

    IWA authchain not working with domain joined machine when not in network
    https://knowledge.broadcom.com/external/article?articleId=113093

    IWA to form fallback shows undesirable pop up authentication prompt
    https://knowledge.broadcom.com/external/article?articleId=190084

    IWA Fail back form login popup windows
    https://knowledge.broadcom.com/external/article?articleId=189624

    Issues configuring NTLM Windows Authentication
    https://knowledge.broadcom.com/external/article?articleId=140591

    Google Chrome not working with Windows authentication
    https://knowledge.broadcom.com/external/article?articleId=115852

    chrome IWA
    https://knowledge.broadcom.com/external/article?articleId=110055

    I hope this helps,

    Best Regards,
    Patrick


  • 3.  RE: IWA Fallback to Forms on Access Gateway - Browser Pop-up

    Posted Aug 19, 2020 11:22 AM
    Hi Patrick,

    Thanks for the info and all the articles. My takeaway from reading these is that if we use the Authentication Chain scheme, we cannot suppress the browser pop-up without making updates on end users' browsers. Are you aware of any other solutions to direct users to the fallback page immediately if IWA fails, regardless of browser settings?

    Thanks,
    Michael


  • 4.  RE: IWA Fallback to Forms on Access Gateway - Browser Pop-up

    Posted Aug 20, 2020 11:01 AM
    Edited by Camil Huric Aug 20, 2020 11:01 AM
    Hi Michael
    Let's go back one step.
    In any use case where we have an IWA protected resource (With or without Siteminder), if browser is not configured to retrieve user credentials, it does not even attempt automatic authentication but exposes a pop-up. Simply browser is instructed to show pop-up when IWA authenticated encountered.
    So Siteminder needs browser "collaboration" to realize scenario fallback as designed.

    However I have seen working workaround regardless of browser settings (if browser has not been configured HTML login page will be shown instead of pop-up).
    Keep in mind:
    -it is not Authentication Chain feature, but workaround.
    -you may experience performance decreasing 

    How to do it:
    1. protect your resource with an HTML schema - login.fcc login page
    2. protect another resource let's call it /iwa/ with IWA authentication schema
    3. modify login.fcc page adding inside  the <head> section a jsp/AJAX function redirectOnIWA() like example below
      • <!-- IWA Autentiction -->
        <script type="text/javascript">
            var target="$$target$$";
            redirectOnIWA(target);
        </script>
    4. I have not code of redirectOnIWA(), but this function has to do:
      • create  XMLHttp request calling IWA protected resource /iwa/
      • check if access to /iwa/ has been granted
        • if yes redirect to target - interrupt login.fcc loading
        • if not do nothing - continue login.fcc loading
    See an XMLHttpRequest example here https://www.w3schools.com/xml/dom_httprequest.asp, it is very good starting point.

    Have a fun :-)
    Camil


  • 5.  RE: IWA Fallback to Forms on Access Gateway - Browser Pop-up

    Posted Aug 20, 2020 12:27 PM
    Hi Camil,

    Thank you for that suggestion and the details. I will see if that works for us.

    Thanks,
    Michael