none
Siteminder SSO

    Domanda

  • Hi all,

    I'm porting over my sharepoint site from IAG which uses Siteminder to authenticate.  We had someone write some custom code to handle the siteminder token.  Can I copy the custom inc file and the <trunkname>1postpostvalidate.inc file to the proper locations on the UAG and expect it to work the same way? or will these inc files need to be rewritten?

    Thanks,

    Bill

    lunedì 1 agosto 2011 15:29

Risposte

  • Hi Bill,

    The file names and the UAG functions you are calling didn't changed since IAG.

    The way it pre authenticates your users using a custom repository is still possible.

    The way it adds a second session user based on provided credentials is still possible.

    The way the repository.inc and postpostvalidate.inc communicates is still possible.

    Using WinHTTP 5 to fetch the logon cookies is a little bit outdated, but it should still work on Win2008. (But I dont have any experience with v5 under Win2k8^^)  

    Pushing the fetched logon cookie to the client is still possible.

    So i bet that you would most likely be able to reuse this code in UAG. But keep in mind that the Sideminder and Domain repository have to match the name values referenced in the scripts.

    -Kai

     



    lunedì 1 agosto 2011 20:48

Tutte le risposte

  • Hi Bill,

    the differences between the IAG and UAG authentication hooks aren't that big. So the chances are very high that those custom inc's will still work for you after migration.

    To get sure, you could post your specific sideminder code so that we can judge if changes are needed.

    -Kai

    lunedì 1 agosto 2011 15:35
  • Hi Kai,

    I have posted up the authentication group file for siteminder and the <trunkname>postpostvalidate.inc file below.  Both are currently in \InternalSite\inc\customupdate folder.

    Thanks,

    Bill

     

    ****Authentication Group.inc****

    <%

     Set WinHttpReq = Server.CreateObject("WinHttp.WinHttpRequest.5") ' Create the object


    sub getSiteMinderCookie( )

     
     strUser = user_name
     strPswd = password


     LIGHT_TRACE "Starting SiteMinder Authentication"
        
      
     LoginHost = "sso.company.com"
      
     PostUrl = "/siteminderagent/forms/login.fcc?TARGET=$SM$https://sso.company.com/iag/"
     'AuthenticatedUrl = "/myaccount/"
     AuthenticatedUrl = "/iag/"
     sCookie = ""

     browse "POST", PostUrl, LoginHost, sMailJumpWebsite2, "USER=" & strUser & "&PASSWORD=" & strPswd, goodserver, sResponseData, sCookie

     SMCookieInitial = sCookie
     LIGHT_TRACE "post cookie is" & sCookie
      
     ' Final GET request to obtain final cookie
     browse2 "GET", AuthenticatedUrl, LoginHost, sMailJumpWebsite2, "", goodserver, sResponseData, sCookie

     SMCookieFinal = sCookie
     LIGHT_TRACE "siteminder cookie = " & sCookie

     ' Parsing the cookies to obtain the SMSESSION cookie
     if instr(sCookie,"SMSESSION")>0 then pos1=instr(sCookie,"SMSESSION")
     LIGHT_TRACE "position is" & pos1
    LIGHT_TRACE "mark here 1"
     session("pos1")=pos1
    LIGHT_TRACE "mark here 2"
     session("sCookie")=sCookie
    LIGHT_TRACE "mark here 3"
    End Sub

    '=============================================================================================================================== 
    function AuthenticateRepositoryUser(repository,user_name,password)
     set authenticate_user_out = Server.CreateObject("UserMgrComLayer.AuthenticateUserOut")

     

    ' CAll browse function
    getSiteMinderCookie

    LIGHT_TRACE "mark here"

    ' The following conditional statements added to handle the case of missing or incorrect SSO passwords
    ' In this case, the user will be sent directly to the SSO login page  
     pos1=session("pos1")
     sCookie=session("sCookie")
        IF len(pos1)>0  Then
         E=instr(pos1,sCookie,"; ")
         UG=MID(sCookie,pos1,E-pos1)+"; path=/; domain=.mysite.com"
         session("smsession")=UG
         LIGHT_TRACE "Siteminder cookie UG = " & UG
         ' Setting the session variable with the cookie contents to use in cookie.asp
         setsessionparam g_cookie,"sitemindercookie",UG
         set AuthenticateRepositoryUser2 = AuthenticateUser("domain_name",user_name,password,d,Empty,g_site_name,g_secure)
         
         LIGHT_TRACE "AD return code: " & AuthenticateRepositoryUser2.Success
         ADreturncode = AuthenticateRepositoryUser2.Success
         
         setsessionparam g_cookie,"reposCount", "1"
         setsessionparam g_cookie,"ADreturncode", ADreturncode

         authenticate_user_out.Success = 0
         authenticate_user_out.ErrorCode = sLoginCode
         authenticate_user_out.Handle = 0
         authenticate_user_out.Message = "Authentication Success"
         set AuthenticateRepositoryUser = authenticate_user_out

        Else
         authenticate_user_out.Success = -1
         authenticate_user_out.ErrorCode = sLoginCode
         authenticate_user_out.Handle = 0
         authenticate_user_out.Message = "Failed to Authenticate"
         callcode = "BAD_LOGIN"
         set AuthenticateRepositoryUser = authenticate_user_out  
        END IF
        
     Session("callcode")=callcode
    end function 
    '===============================================================================================================================
    Sub Browse(brMethod,brPath,brServer1,brServer2,brPostData,brServerFinal,brResponseBody,brCookie)
    ' brMethod  ' The Method to be user (either POST or GET)
    ' brPath   ' The path after the server to send the request to
    ' brServer1  ' The first server to attempt
    ' brServer2  ' The second server to attempt
    ' brPostData  ' The Data to use in POST requests
    ' sHTTPCode  ' The HTTP code returned by the request
    ' brServerFinal ' The actual server determined by the function
    ' brResponseBody ' The actual response returned by the WinHTTP request
    ' brCookie  ' The Cookie to send back to the user

     On Error Resume Next
     ' Creating the URLs
     brURL1 = "https://" & brServer1 & brPath
     brURL2 = "https://" & brServer2 & brPath

     ' Setting Options
     WinHttpReq.Option(6)=0    ' Disable the EnableRedirects option
    ' WinHttpReq.Option(0)="e-Gap" ' UserAgent ...

     ' Opening the request and Defining the headers
            LIGHT_TRACE "url is:" & brURL1
     WinHttpReq.Open brMethod, brURL1, 0
     WinHttpReq.SetRequestHeader "host", brServer1
     WinHttpReq.SetRequestHeader "Accept", "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"
     WinHttpReq.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
     WinHttpReq.SetRequestHeader "Accept-Language", "en-us"
     WinHttpReq.SetRequestHeader "cookie", brCookie

     ' Sending the request
     LIGHT_TRACE "post data is:" & brPostData
     WinHttpReq.Send (brPostData)
     
     ' Checking the Status Code returned by the request
     sHttpCode = WinHttpReq.Status
     LIGHT_TRACE "status code is" & sHttpCode

     ' Verifying that the code returned by the request is either 302 or 200 (redirect or OK)
     If sHttpCode = 302 or sHttpCode = 200 then
      ' Request successful defining which server responded to request
      brServerFinal = brServer1
     Else
      ' Attempting the second server
      ' Opening the request and Defining the headers
      WinHttpReq.Open brMethod, brURL2, 0
      WinHttpReq.SetRequestHeader "host", brServer2
      WinHttpReq.SetRequestHeader "Accept", "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"
      WinHttpReq.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
      WinHttpReq.SetRequestHeader "Accept-Language", "en-us"
      WinHttpReq.SetRequestHeader "cookie", brCookie

      ' Sending the request
      WinHttpReq.Send (brPostData)
     
      ' Checking the Status Code returned by the request
      sHttpCode = WinHttpReq.Status
      
      If sHttpCode = 302 or sHttpCode = 200 then
       ' Request successful defining which server responded to request
       brServerFinal = brServer2
      Else
       brServerFinal = "FAIL"
      End If
     End If
     ' Returning the Response Body of the request
     brResponseBody = WinHttpReq.ResponseText
     brCookie = WinHttpReq.GetResponseHeader("set-cookie") 
     'LIGHT_TRACE "response is: " & brResponseBody
    End Sub

    Sub Browse2(brMethod,brPath,brServer1,brServer2,brPostData,brServerFinal,brResponseBody,brCookie)
    ' brMethod  ' The Method to be user (either POST or GET)
    ' brPath   ' The path after the server to send the request to
    ' brServer1  ' The first server to attempt
    ' brServer2  ' The second server to attempt
    ' brPostData  ' The Data to use in POST requests
    ' sHTTPCode  ' The HTTP code returned by the request
    ' brServerFinal ' The actual server determined by the function
    ' brResponseBody ' The actual response returned by the WinHTTP request
    ' brCookie  ' The Cookie to send back to the user

     On Error Resume Next
     ' Creating the URLs
     brURL1 = "https://" & brServer1 & brPath
     brURL2 = "https://" & brServer2 & brPath

     ' Setting Options
     WinHttpReq.Option(6)=0    ' Disable the EnableRedirects option
    ' WinHttpReq.Option(0)="e-Gap" ' UserAgent ...

     ' Opening the request and Defining the headers
            LIGHT_TRACE "authenticated url is:" & brURL1
     WinHttpReq.Open brMethod, brURL1, 0
     WinHttpReq.SetRequestHeader "host", brServer1
     WinHttpReq.SetRequestHeader "Accept", "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"
     WinHttpReq.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
     WinHttpReq.SetRequestHeader "Accept-Language", "en-us"
     WinHttpReq.SetRequestHeader "cookie", brCookie

     ' Sending the request
     LIGHT_TRACE "post data is:" & brPostData
     WinHttpReq.Send (brPostData)
     
     ' Checking the Status Code returned by the request
     sHttpCode = WinHttpReq.Status
     LIGHT_TRACE "status code is" & sHttpCode

     ' Verifying that the code returned by the request is either 302 or 200 (redirect or OK)

     If sHttpCode = 302 or sHttpCode = 200 or sHttpCode = 404 then
      ' Request successful defining which server responded to request
      brServerFinal = brServer1
     Else
      ' Attempting the second server
      ' Opening the request and Defining the headers
      WinHttpReq.Open brMethod, brURL2, 0
      WinHttpReq.SetRequestHeader "host", brServer2
      WinHttpReq.SetRequestHeader "Accept", "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"
      WinHttpReq.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
      WinHttpReq.SetRequestHeader "Accept-Language", "en-us"
      WinHttpReq.SetRequestHeader "cookie", brCookie

      ' Sending the request
      WinHttpReq.Send (brPostData)
     
      ' Checking the Status Code returned by the request
      sHttpCode = WinHttpReq.Status

      If sHttpCode = 302 or sHttpCode = 200 or sHttpCode = 404 then
       ' Request successful defining which server responded to request
       brServerFinal = brServer2
      Else
       brServerFinal = "FAIL"
      End If
     End If
     ' Returning the Response Body of the request
     brResponseBody = WinHttpReq.ResponseText
     brCookie =  WinHttpReq.GetAllResponseHeaders() 
     'LIGHT_TRACE "response is: " & brResponseBody
    End Sub


    %>

    ****<trunkname>postpostvalidate.inc

    <%

    ADreturncode = getsessionparam(g_cookie,"ADreturncode")
    count = getsessionparam(g_cookie,"reposCount")

    light_trace "post post ADreturncode param is: " & ADreturncode
    light_trace "post post reposCount param is: " & count

    ' when uncommented it simulates an AD failure
    'ADreturncode = "-1"

    if ADreturncode >= 0 and count = "1" then

     status=AddSessionUser(g_cookie,user_name,password,"domain_name")
     setsessionparam g_cookie,"reposCount","0"
     setsessionparam g_cookie,"user",user_name

     light_Trace "status of real AD is:" & status
     light_TRACE "USERNAME IS:" & user_name
     'light_TRACE "PW IS:" & password
     light_trace "len of password is :" & len(session("password1"))
    end if

    msgCookie  = GetSessionParam(g_cookie,"sitemindercookie")
    Light_trace "in postpost and the cookie is : " & msgCookie
    Response.AddHeader "Set-Cookie", msgCookie

    %>

    lunedì 1 agosto 2011 18:33
  • Hi Bill,

    The file names and the UAG functions you are calling didn't changed since IAG.

    The way it pre authenticates your users using a custom repository is still possible.

    The way it adds a second session user based on provided credentials is still possible.

    The way the repository.inc and postpostvalidate.inc communicates is still possible.

    Using WinHTTP 5 to fetch the logon cookies is a little bit outdated, but it should still work on Win2008. (But I dont have any experience with v5 under Win2k8^^)  

    Pushing the fetched logon cookie to the client is still possible.

    So i bet that you would most likely be able to reuse this code in UAG. But keep in mind that the Sideminder and Domain repository have to match the name values referenced in the scripts.

    -Kai

     



    lunedì 1 agosto 2011 20:48