Re: SSO How-To

DM · ‎06-28-2019

Hi,

I try to get started with SSO on Pulse Connect Secure. I asked Pulse Support for a How-To but they say I have to collect Fiddler logs, send them to Pulse and they can configure SSO.

Is there really no How-To available?

If there is no How-To, how can I get started anyway?

flipPipe · ‎06-28-2019

Hi,

There are many ways to do SSO (kerberos, ntlm, form post, saml).

If you explain your use case, probably the community will be able to help.

zanyterp · ‎06-28-2019

as @flipPipe indicated, there are lots of ways to do SSO and each has its own configuration requirement.
the admin guide goes through a high level of what is needed; specifics tend to require the dsrecord (session recording).

DM · ‎07-01-2019

We have several web applications we want to use in combination with kerberos e.g. standard applications like Outlook Web Access or web applications developed by ourselves.

But I don't really know how to get started.

zanyterp · ‎07-01-2019

thank you for the update, @DM.
for OWA, using the resource profile option _should_ let you configure what is needed by enabling the SSO option.
for others, filling out the required information at Users>Resource Policies>Web>SSO>General
and then applying the proper behavior at
Users>Resource Policies>Web>SSO>Basic/NLTM/Kerberos
should be a good start
The admin guide has good examples on how to configure each item
If you are using form POST, the largest concern is if you have dynamic values that are required as those cannot be sent and will not work
for more specifics, i would recommend working with support once you have the configuration in place and can walk them through what is configured and what is not working

DM · ‎07-02-2019

Thank you for your reply @zanyterp.

I am trying to configure the Users>Resource Policies>Web>SSO>General but I am not sure about doing it correctly.

Like our OWA supports Basic Auth (starting with that before trying kerberos or NTLM). So I tried it with Basic with System credentials and Variable credentials using <USERNAME> and <PASSWORD> so the primary credentials will be used to log in to OWA but I still get the log in page instead of getting logged in by the system.

I feel like I'm missing something but cannot put the finger on it.

Bonnie0383 · ‎07-02-2019

9apps wrote:
Thank you for your reply @zanyterp.

I am trying to configure the Users>Resource Policies>Web>SSO>General but I am not sure about doing it correctly.

Like our OWA supports Basic Auth (starting with that before trying kerberos or NTLM). So I tried it with Basic with System credentials and Variable credentials using <USERNAME> and <PASSWORD> so the primary credentials will be used to log in to OWA but I still get the log in page instead of getting logged in by the system.
I feel like I'm missing something but cannot put the finger on it.

We have several web applications we want to use in combination with kerberos e.g. standard applications like Outlook Web Access or web applications developed by ourselves.

zanyterp · ‎07-03-2019

You are welcome, @DM
based on your comment, you may have dual authentication going on, if that is correct, please be sure to specify you are using/wanting to use <username[1]> and <password[1]>
how do you login to OWA (just username, [email protected], domain\user)? have you created the username template to match?

DM · ‎07-03-2019

Thank you for the advice about <username[1]>.

Just to make sure [1] is the primary credential set or is it [0]?

I've managed to configure SSO for OWA via POST by creating a new Web Application Resource Profile with Type "Microsoft OWA 2016".

Enabling "Remote SSO" with "servername.tld:443/owa" as Resource and "servername.tld:443/owa/auth.owa" as Post URL.

I wonder if I can do it similar with NTLM but I'm kinda lost about that.

zanyterp · ‎07-04-2019

yup, you are correct: [1] is the primary credential; you would use [2] if you wanted the secondary
glad to hear the POST is working successfully
NTLM for OWA or NTLM on another web app?