Idea Details

IWA Login with Forms Fallback

Last activity 06-13-2019 10:05 AM
Shinoy Cherayil's profile image
04-14-2014 10:02 AM

The current functionality for windows authentication scheme works great if users are always within the intranet and you have a different resource for external access configured for forms login.

It would be great if CA would have an OOB funtionality for IWA/Windows authentication scheme that fails back to forms authentication scheme if IWA fails so that each customer have their own way of implementing this.


Comments

05-23-2018 08:35 AM

We raised a case with CA and got the development fix for make IWA to fallback without windows pop-up in-case negotiation of authorization header fails.

 

so now our IWA solution works for both internet and ios/android. And this is without pop-up by redirecting request to login form.

 

As a fix we got new SPS and HTTP DLL file.

 

thanks!Alok

03-02-2018 03:51 PM

Hi Alok - just probing your problem statement above - if the user is flagged as must-change-pwd or disabled, shouldn't they also be prevented from signing into Windows? It sounds like there is a missing provisioning link or AD integration between the password state as understood by SSO and by AD.

 

Vipul Kaneriya - the IWA+Fallback solution that IDFC has written uses a combination of IP whitelists and browser type/OS to prevent the IWA challenge from ever occurring for unsupported places/platforms. And when those requests go to forms instead of IWA then the normal auth scheme processes and handles the disabled values properly.

 

Best regards,

 

Richard

03-02-2018 02:31 PM

Yes I did, CA support replied "IWA Fallback to Forms is working as design". So I guess if we really want to cover above scenario CA should redesign IWA Fallback to Forms feature.

02-05-2018 09:57 AM

I suggest you open up a support ticket and work with our support team.  They will likely need to look at logs to determine why it is not working as you have it configured.

02-03-2018 07:32 AM

Thanks for the reply Alok, 

Above reported functionality which we have in the intranet. 

We have another mobile app which is custom, in which we are also sending username/password in basic authorization header before user challenges, it's working fine with it. But the problem with native iOS app.

Now I'm confused how this IWA works. IWA falls back to Form when AG detects that device doesn't support for the Windows authentication? or it falls back to Form when IWA failed to collect the user creds from the device???

 

I don't know how can proceed with it. Can we expect fix in next release?

02-02-2018 11:57 PM

This is not working in our environment as well. We also have the same setup what has been mentioned above but some how when we are hitting the URL from internet it is throwing windows pop-up at .ntc context. Here we have to present the credential before getting the login page so yes the whole idea is not working as it has been claimed.

 

Thanks! Alok

02-02-2018 03:37 PM

Dear Gents, For me this IWA fallback to Form feature is not working as expected.

My customer has SAP Netware Gateway protected with SSO as IDP. This is working from Desktop using IWA authentication like a charm.

But customer using an iOS native mobile app to access this SAP resources, in this case, iOS app directly hit sp initiated URL when user open hit. as a result, the user seeing an 'Authentication Required' pop up message since iOS doesn't support for IWA. If the user clicks on 'OK' button in that pop-up without passing credentials then displaying the Form-based login page. This particular iOS app is a native app and downloadable from the apple store. so the customer don't want to customize this anyway. How can we achieve this? appreciate your advice. 

 

We have CA SSO 12.7 Policy server and CA AG 12.70.0000.1194.

01-30-2018 07:28 AM

In IWA implementation from CA there is a limitation in all the cases, meaning only IWA, IWA - Kerberos or IWA auth chaining.

It is able to handle most of the disable flag without any issue but failing for two cases.

working as expected for 1, 2, 16777217

not working for password expired or 8 and 16777216.

 

I have raised a case with CA and the response what I got is not satisfying. According to them in IWA, SSO is not checking for password so in case where user disable flag is 8 or 16777216 user is allowed to get into application.

 

Now my confusion is how they are handling flag like 1, 2, 16777217. In that case also SSO is not getting password but some how after done with IWA validation disable flag is getting checked and accordingly user is getting redirected to user blocked/disabled page.

 

Not handling of 16777216 causing security challenges for SSO. Lets say there is a user who just got created by the identity management system so value of disable flag will be 16777216. Now in next instant itself user is trying to access IWA enabled SSO application so user will not be prompted for change of password and hence security vulnerability introduced.

Similar security challenge exist for 8 as well.

 

We need CA engineer to have same logic as they have done for other flag like  1, 2, 16777217 and accordingly trigger the page.

 

Thanks! Alok

10-05-2017 04:01 PM

Vipul,

 

Have you worked with our support organization on this problem?  Yes the browser must be setup to provide windows authentication, but the fallback should work as expected.  NOTE that windwos authentication needs to be configured through the gateway and not an IIS webserver.  

10-04-2017 03:45 PM

I tested this feature "IWA Login with Forms Fallback". it only works if your browser is setup correctly as per this article (How to configure supported browsers for Kerberos and NTLM ). But in real world scenario user who try to access SiteMinder protected resources from outside company network they get "Authentication Required" popup if fails to authenticate via IWA instead of HTML form.

 

I would like to see this feature work even in case of browser not configured or user access resource from Mobile device or from Mac OS IWA should falls to HTML form not "Authentication Required" popup.

02-23-2017 10:50 AM

Hi...in the validation program are "forums"...sort of folders for specific topics....one of the folders is titled" Authentication Chaining for IWA Fallback".  In that forum if you filter on "ALl Topics"  & "Any Time" you will see the entry for the demo.   If you still can't find just make another entry here..thx.

02-23-2017 10:44 AM

It appears this demo has been removed.

We are trying to customize the 401 response from the IIS server when the user attempts to access a IWA protected resource but are having trouble getting this to work. Can you provide any detail on how this feature will work and what release you are referring to?

 

Thanks,
-Scott

02-23-2017 10:40 AM

I have access to the Single Sign On project, but the only entry I see is the "SSO 12.7 Build 1098 - Linux" entry.  Is there anything else we need to do to get additional access to see this demo?

01-06-2017 09:20 AM

Hello Shinoy,

 

Please register in validate.ca.com for CA Single Sign-On project to gain access to the Demo link.

 

Thanks,

-Vikas.

01-06-2017 08:06 AM

Hi Aaron,

 

I can't access the demo on the validate.ca.com<http://validate.ca.com> site. Is there a direct URL that you can share?

 

Thanks

Shinoy

01-06-2017 07:53 AM

IWA Fallback to Forms is someting our development team is working on.  They have just posted a demo of this functionality that is planned for an upcoming release.  Please watch the demo and comment on the feature on the validate.ca.com site

 

Windows Fallback to Forms Validate Demo

11-15-2016 02:33 AM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team has reviewed your suggested enhancement and is pleased to inform you we have decided to incorporate your idea. We are projecting the GA of this idea in 12.7. Thank you for your contribution to the progress of CA Single Sign-On.

 

We came up different approaches to incorporate the suggested feature in the product.  To go ahead with our design in place, we created a poll to get the feedback from you.  Please vote @ User Experience Poll: How do you prefer to configure IWA fallback option  

09-06-2016 02:36 PM

We have moved this into the under review category as we start looking at potential candidates for a future release.

04-06-2016 04:12 PM

No, Forms auth will work fine. The out of the box auth schemes work as expected with federation (SAML). I don't have a link off hand, but CA can provide a custom code package that will provide this functionality to a certain extent. The package is javascript that needs to be setup on an http server; not a policy server integration. I was able to make federation work with IWA failing to Forms (SP init, idp init, encrypted, with relaystate, etc...), but it requires some additional javascript to make it work.

 

I just wanted to point out that it would be a disappointing solution if they just integrated this custom javascript package into the default install.

04-06-2016 04:02 PM

Does this mean I cannot use the CA solution and forms for authenticating IDP initiated SAML?

04-06-2016 03:55 PM

The custom code package that CA will provide on request for this functionality is lacking support for federation redirects. If this request is accepted, support for all scenarios, including federation redirects, should be taken into consideration.

04-06-2016 02:54 PM

Hi Shinoy - IDFC has had this add-on for years now. Take a look:

 

Advanced Desktop Integration | Windows Authentication

04-04-2016 01:44 PM

I wonder the same, hmm, Five Years Ago! There are 10 times clients using this than oauth2. how come oauth schema was implemented first.

03-28-2016 01:21 PM

Yes, we really need this IWA solution to be OOTB instead of maintaining asp or .net code. That reduces some manual effort in maintenance.

03-24-2016 01:54 PM

This would be a great feature to have out of the box in the next release.  We have run into problems with our IWA custom solution and CA will not support custom login forms.   Please add this feature to the next Siteminder release. 

03-24-2016 10:04 AM

I vote for this idea .

 

We use a custom solution however it would be good if CA can come up with OOTB solution for such an important use case.

12-17-2015 09:42 AM

Hi Josh, WISHLIST candidates are ones that have value for customers and we want to continue to hold in our candidate list, but we don’t have committed development plans for.   If we commit to it in a program, we would transition this to a Currently Planned status.   We know by customer votes that this is something they would like, but our current plans do not yet have this as a committed part of our development plan.

12-15-2015 02:31 PM

so if 59 votes only gets something wish listed, what does it take to get CA Product Management  to decide  something  is actually wanted and they should implement it?

10-20-2015 06:07 AM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team has reviewed your enhancement suggestion and decided to maintain the idea for possible consideration in a future release. The Community will continue to be able to vote on this enhancement idea.

10-08-2015 09:53 AM

I would like to add some additional information to my previous comment relating to a free solution provided by CA Services.

 

A CA field services architect working with a customer developed the free solution. It is based on ASPs and activeX. The original customer has stopped using it, I think it was because they found some use cases that it didn’t work for them, but I am not sure.

 

CA Services Global Deployment (the team I belong to) only acts as the repository for providing the zip file. We do not provide any installation support or ongoing support.

 

I have never installed or used it.

 

If the free solution from CA Services doesn't meet your needs, there are two other solutions that you could implement yourself if you have some javascript and JSP/ASP development experience:

 

If you really need failover, then to achieve this failover function client side coding on the browser side is required. Behind the scene, hidden client code (jquery, ajax or old active/DOM) will query a URL protected by IWA/Kerberos, and if the query is successful, we proceed with the SiteMinder IWA/Kerberos authentication; if that query fails, the client side code redirects the browser to the Form authentication.

 

If the real requirement is to let internal user’s login with IWA, but have external users login with HTML Forms Auth, another possible solution you could implement is:

Use HTML Forms Auth as the method protecting the resources, but use a JSP/ASP/PHP/Servlet etc to display the login form, and include logic that tests for the internal IP Addresses you use (192.168.x.x, 10.x.x.x, etc) and if an internal IP address is detected, redirect to a “helper” realm that is protected with IWA, otherwise display the HTML Form Login Page.

The "helper" realm should be protecting a simple redirect script that will redirect the user to their original TARGET resource once the user is authenticated and authorized. Note that this solution does not provide failover if for some reason an internal user fails IWA authentication. If an internal user fails IWA authentication they will be prompted for BASIC auth credentials by their browser.

 

One more tip. For IWA you normally need at least one pair of IIS web servers in your infrastructure to perform the actual IWA (SPNEGO) authentication to an AD Domain controller. There are two alternatives now: The CA SSO Secure Proxy Server has been enhanced to perform IWA without the need of IIS web servers in the infrastructure. There is an Apache plugin that can also perform IWA.

03-30-2015 12:43 PM

06-30-2014 04:35 PM

I agree that it would be nice to have solution to this issue built into SiteMinder. But in the meantime, there is a no cost solution provided by CA Services if you need it.

(Updated 1/17/2017)...

 

It has been announced that this capability will be built into the Web Access Gateway (aka SPS) component of CA SSO in an upcoming release.

 

In the meantime ....

 

The ASP/activeX based IWA Failover to Forms solution can be downloaded from

https://communities.ca.com/servlet/JiveServlet/download/99217046-47762/winforms%20select%20auth%201.2.zip 

Note that although the name of the zip file is different, it is the same solution as IWA_Failover_To_Forms.

 

The above solution is provided free of charge, as a community provided solution, with no guarantee that it will work, and it does not come with any support from CA. It is not part of the CA SSO product or any CA Services offering.

06-30-2014 04:28 PM

Thank you for your contribution of an enhancement idea to the CA Community.   CA is continually working to improve its software and services to best meet the needs of its customers.  Your input is vital to that effort.  CA’s Product Management team has reviewed your enhancement suggestion and has decided to maintain your suggested enhancement as a candidate for a future release.   We are asking the Community to continue to offer votes for this suggested enhancement until September 30, 2014.   On that date we will take the suggested enhancements with the highest vote total and determine which of these can move from an “Under Review” to “Planned”.

04-18-2014 01:38 PM

Shinoy, it's such a common request... I hope they take this and implement it. would be nice to have an OOTB solution.

04-14-2014 10:05 AM

I meant to say every customer has a standard way of implementing this.