dmw, I am now getting started to try and deploy this type of SSO scenario and had another question.

The RSA auth that you use for Primary authentication I assume is setup fro the two factor auth and not passwords correct ?

Also, the secondary auth server that you have defined via Kerberos AD. How do you handle a predicament where you have multiple AD servers that these users will be going to such as Devl, QC & Production environments ?

Thanks for your input,

Jhagdak

I have tried setting this up and get the following via a Policy Trace that is attached.

Also, you mentioned " In the expression builder you can use [email protected]{AD_SSO} to perfrom the checks against the SSO user"

is the [email protected][AD_SSO} referencing the NTLM ??

I have setup NTLM as per below placed ion my expression [email protected]{TEST_SSO}

TEST_SSO WEB VARIABLE <USER[2]> <PASSWORD[2[>

From policy trace output I'm guessing you have configured Under Realm > Additional Auth Server > Predefined as: "<USER[2]>"

This will not work, because at this stage USER[2] has no value. The variable <USER[2]> can only be used in role mappin, SSO, etc. Not during the intial login.

If your AD username and RSA username are the same then change this to <USER> or select the option 'specified by user on sign-in page'

I have setup the <USER> as you mentioned since they are the same and have setup the secondary auth server with the <Password[2]> This user is in AD and has been verified.

I am getting the following when I do a Policy Trace:

Authentication successful to auth server "RSA SecurID"
- Getting directory information from auth server "authorization_RSA SecurID"
- Retrieved directory information from auth server "authorization_RSA SecurID"
- Generated secondary user name using template <USER>: "tch-515-test"
- Generated secondary password using template <PASSWORD[2]>: "<hidden>"
- Attempting to authenticate user "tch-515-test" with auth server "AD_SSO"
-NTLogin(192.168.90.12, WEB\tch-515-test, WEB, iveuser, no, , yes, 1, 6, TEST IVE Computers)
-Either username or password is empty. NTLogin done.
-tch-515-test(RSA SecurID)[] - Sign-in rejected using auth server AD_SSO (Samba). Reason: ConnectError
-tch-515-test(Admin Users)[.Administrators] - tch-515-hagen:RSA SecurID - Policy Tracing turned off

I have setup a seperate realm to test the seconary authentication to the AD server directly and I get authenticated so I know the user is being validated in AD, I am at a point where the Secondary Auth is failing when it does the AD lookup it seems and cannot seem to figure out why. I have made some changes to the config on the IVE to no avail.

Could it be the application itself not sending a response back to the IVE when credentials are bing passed ?

Thanks

Hi,

You can set up the SSO with RSA using version 6.4 of SSL VPN.

In the version 6.4 you can configure the Kerberos Constrained Delegation (KCD).

So when the user login to the SSL only put username and RSA token. There is NO second AUTH server.

When the user logs to the SSL VPN with RSA credential and then want to access the certain resource (click on bookmark) the KCD creates ticket between SSL and AD. This ticket is used that user can log to their resource without typing in user credential again.

The time between SSL and AD must use the same NTP source. The difference could be at least 2 min.

In RSA server you need to assign tokens with users that are in AD server.

This functionality with KCD is really good.

I ended up defining Form Post with the previous config and defining the variables needed to access our apps.

This thread stared with my posting for the use use of KCD and will most likely go with this once we upgrade our IVE's to that version of code. In your KCD deployment are you doing any Form Post with your apps ?

You can use Resource Profiles or Resource Policies when you configure KCD.

If you use Resource Profiles (Web apps) you need to enable "Autopolicy: Single Sign-on" and select Constrained Delegation where you define your Resource and Credentials.

If you use Resource Policies -> Web -> SSO -> Kerberos/NTLM/Basic Auth you need to select Constrained Delegation in the "Action" and define Credentials.

Before that you need to set up Kerberos SSO Settings. Select Resource Policies -> Web -> SSO -> General -> Kerberos SSO Settings. You define server resource, user for KCD authentication (you have to create it in you AD server).

You have to enable also some setting in your server (I use Microsoft Windows 2003 server).

You can also use a Form post with you apps.

I test this with OWA 2003 and some Web pages that need authentication.

This works realy good. You can use Oracle OAAM, RSA, Certificates for authenticate users. User do not need to type his domain password.