cancel
Showing results for 
Search instead for 
Did you mean: 

Custom sign-in page with 2 factor authentication.

Billy_
Occasional Contributor

Custom sign-in page with 2 factor authentication.

Hi guys.~~

I'm trying to design the Custom sign-in page on SA device with two-factor authentication.
Primary authentication server is AD , secondary is RSA.
Users have to input their credentials (for both of Primary and Secondary server) on a single custom sign-in page.

Question.
1. How can I submit secondary username and password using javascript function?
Following example is javescript for single authentication.
------------------------------------------------------------------------
function sendit() {
document.frmLogin.submit();
Login();
}
function Login() {
return true;
}
.
.
.
<form name="frmLogin" action=login.cgi method="POST" ......
<input type=text id=txt_id name="username" class="textbox" ....
<input type=password id=txt_pass name="password" class="textbox" ...
------------------------------------------------------------------------

2. I'll display authentication fail messages on custom sign-in page based on "LoginPageErrorCode".
But it seems IVE returns same error code whichever primary or secondary authentication fails.
It meeans I don't know which of primary and secondary authentication would fails.
Are their any solution dividing error code of primary and secondary authenticaion?

3. As I read the document "Custom Sign-In Pages Solution Guide", there are a log of login error code.
I wonder whether the following error codes is returned when we use AD and RSA.
1002 : Invalid Username or Password
1012 : The password is too short
1022 : Account Locked Out
1023 : Account Expired


Thanks..

1 REPLY 1
kenlars_
Super Contributor

Re: Custom sign-in page with 2 factor authentication.

Names of the secondary authentication username and password are -

user#2

password#2

You can see an example of a page by setting the sign-in page to the default page, and then viewing the source for that page. What I would suggest is that you try every combination of login success and the two types of failures and see what is happening in a policy trace. You may find that you can use the values populated in some variables (or the lack of their being populated) as an indicator of what happened.

For example, I believe that if you mark that if you turn off "End session if authentication against this server fails" for your secondary auth server, that values which would have been populated from that logon if it succeeded are not populated if it fails. I don't use ACE for any authentication, so I don't know what that value might be.

So, if you find something like this, you could test for it in role-mapping, and then not assign a role to it. The logon would then get denied for no roles, and you could modify this message to say that the ACE authentication failed.

Anyway, I encourage you to experiment with policy tracing turned on, and look for possibilities. I'm guessing you'll discover some differences between the three cases with which you are concerned - success on both authentications, primary succeeds and secondary fails, or primary fails. I do not think you'll be able to distinguish the case where the primary fails and the secondary succeeds from the one where both fail. But, even with that, you're a lot further along...

Ken