I am using 2FA with a concatenated Domain Password and OTP.
I hope to be able to use this token to connect through a 4500FIPS to Outlook Web Access using Single Sign On.
The connection through the SA works ok but when it comes to the Oulook SSO, because the submitted password contains the Domain Password AND the OTP, the password is not valid in Outlook.
Is there a way I can split the password in the Autopolicy: Single Sign On using simple code like Left(PASSWORD,6) or something similar?
Any help would be appreciated
You can create a custom variable based on the username attribute using regmatch. You do this in the server catalog. Once you create the custom variable you can use it in your SSO policy for the password entry. The problem you are going to have is coming up with a regular expression that matches everything except the last 6 digits in the string, assuming your passwords are not all the same length. When I've had to use this in the past there has always been a @ or \ that separated the two pieces so it was simple to create the expression.
Can you give me an example of what a password looks like and what type of SSO are you doing? We've had to do some similar things for customers.
This would not work as we support the <password> variable.
User OTP as for primary authentication and AD/LDAP for secondary authentication
You can then use <password> in the SSO parameters.
Thanks for the reply.
This is essentially what Juniper support said.
I currently have your suggested setup installed and it is working fine.
Its just that users have to enter their password&OTP and then the same password.
Its functional, its just not pretty and management arent keen on it.
AD password = Password
OTP = 123456
So the concatenated password is "Password123456"
The Juniper logon expects "Password123456"
The OWA SSO is expecting just "Password"
I am using a Remote SSO with the following variables
Destination <OWA URL>
flags flags 0