We are trying to create a landing page for some external partners. On that landing page we want to include both internal and external (internet) resources. So far so good. One of those external resources we'd like to pass the current user ID to as a HTTP POST. Seems possible. Just can't get it to work.
Opened a ticket. Not sure if JTAC understands us and we them. Thought I'd ask here since you guys seems to know these things really, really well.
Here is what we've done so far:
Added external fqdn to System | Network | Overview | DNS Domains (read a juniper tech doc saying it was needed)
Created a Web App Resource Profile with Single Sign-on
SSO defined as Remote SSO | POST the following data.
Example URL w/forms parameters that works when going direct (not through SSL VPN)
What we are seeing - SSL VPN never passes POST name / value
We are running 7.2 R3 code. Thanks!
This should work.
Please attach a http watch taken with version 7 or less for the direct access without going through SA
Just to make sure, the SA is rewriting the external resource, correct? I can't imagine you could do a SSO form POST to a resource which was not being rewritten.
These are the value I found
I am not sure which is your domain username which you want to pass as a variable <username>
What about j_idt9 and j_idt9:j_idt12 , are these static values or dynamic values?
For the viewstate, I guess you can put the value as found in the http watch though it might be dynamic
j_idt9:j_idt12 would be what we'd want to pass the username to. Not sure what the other values even are.
So what would the setup of this look like?
I can't imagine that you can do a form post without rewriting the page. It might depend on whether rewriting policies are applied before form post policies. Can someone more knowledgable give us a definitive answer on this point?
Does the load of the page ehdn rewritten fail because you do not have a proxy server and proxy policies defined? The only way to get an external page rewritten is for the SA to be able to fetch it through the internal interface of the appliance. At least in my network, the only way to do that is to go outbound through a proxy.