Re: Secondary authentication question

vanierfi_ · ‎01-14-2009

Hi,

We use primary and secondary authentication. Is it possible using a custom secondary auth page to retrieve the primary username and have it filled in automatically in the secondary username box?

thanks

muttbarker_ · ‎01-29-2008

On your Realm General page when you define the "additional authentication server" if you select "predefined as" and then put the appropriate value in the field it should automatically pull it.

This works just fine. In my demo system I have several scenarios including pulling email address from my Auth1 source and using it as my Auth2 username.

Also why are you using the % variable?

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

muttbarker_ · ‎01-14-2009

No problem - simply use a variable to pass the primary username to the secondary field. <username> will pass the primary authentication value over.

mcyprus_ · ‎01-14-2009

Can someone post an example of how to make LoginPage.thtml to ONLY prompt for primary username and password, and allow the SecondaryLoginPage prompt for the secondary password? I've tried modifying the <% FOREACH prompt = prompts %> code but still end up with boxes for secondary auth on the primary page.

muttbarker_ · ‎01-14-2009

Hey MC - why do you want to do that with HTML coding? The realm/page definition supports that natively. Just set the page up to prompt for the second set of credentials on 2nd page and then on the realm definition use the predefined variable to pass the first login name over. Or am I just not understanding you correctly?

vanierfi_ · ‎01-15-2009

If I select the options as presented in the screenshot, will the username be auto filled in? Or can the user change this username? In my experience I think the username textbox will also be presented.

screenshot attached

muttbarker_ · ‎01-15-2009

Not in this case. By selecting "predefined as" the only option presented to the user on the 2nd page will be the password option which tie back to your second authentication method. The username field does not even display.

So you should be able to accomplish your objective 100%.

Message Edited by muttbarker on 01-15-2009 08:25 AM

vanierfi_ · ‎01-16-2009

Kevin,

Thank you, I will test this in a lab setup and notify you about the result.

vanierfi_ · ‎01-16-2009

Kevin,

can you also use an attribute as system variable. Assuming the attribute userAttr.AD_ACCOUNT is returned by the primary auth server, can this attribute be used as a system variable? If yes, i would like to use the attribute as a predefined username on the secondary auth page.

muttbarker_ · ‎01-16-2009

The short answer is yes - As long as the secondary attribute you want to use is available as a result of the primary authentication. As an example I have a setup where LDAP is used against an AD Server. Primary authentication is done with user name.

Secondary authentication can then be done with another attribute that will match to your secondary auth server. So in my test setup I have an auth server that uses LDAP email address. So I pass the <userAttr.Mail> in the additional auth server variable field and it works fine.