locked
Form injection for UAG FormLogin.XML - how to specify Application Type? RRS feed

  • Question

  • Following the instructions on http://technet.microsoft.com/en-us/library/dd282925.aspx#BeforeYouBegin where the FormLogin.XML file needs the Application Type specified, and where http://blogs.technet.com/b/ben/archive/2010/01/23/custom-form-login-sso-how-to.aspx has a nice little screen capture showing where the Application Type is taken from - there is a conflict of explination.

    On the TechNet site, it specifies a warning note "The application type must be alphanumeric, without spaces and without punctuation marks. It is recommended that the name is significant so that it can be easily identified." - but the application type I want to do the Form Login for is "Generic Browser-Embedded Application (multiple servers) and this is under the category "Browser-Embedded" - what do I enter into the <APPLICATION_TYPE> definition? I can't edit it within the UAG management interface, and I can't create a new one like I could with an "Other Web Application".

     

    Secondly, according to http://technet.microsoft.com/en-us/library/dd282925.aspx - there is clear definition on what all parameters mean, except <DEF_VALUE>, which seem to be used in different formats on various different blogs and 'how to' sites, and even within the existing FormLogin.xml file - can anyone point me to a definition of what these variables contain, what the correct syntax is and how they are used, so I can do this properly?

    whaleusr, usr, user, username, siteusr, siteuser, whlusr, pass, whlpass, password - it seems to be a complete mix and I don't know which one to use!


    Wednesday, June 22, 2011 7:02 AM

Answers

  • Hi Christian,

    For a Generic Browser-Embedded Application (multiple servers) application, in your custom FormLogin.xml enter this application type:GenericWebRelayMulti

    Thanks for that - is there a location that defines what all the application type variables are? I would never have guessed to use "Web Relay"

     Yes, the location is ...\Program Files\Microsoft Forefront Unified Access Gateway\von\Conf\WizardDefaults\WizardDefaultParam.ini (NOTE: please do not make changes to this file!)

    The <DEF_VALUE> element can contain any string that you wish, pretty much free text.

    Thanks for the reply, but it has not answered my question - behaps I did not word it properly. Our authentication uses two Authentication Repositories, and so the content of "password" could be two different values, one from our AD and the other from our RADIUS challenge - how do I specify/define which password gets injected into the form for my "GenericWebRelayMulti" application? 

    I can see that if we specify "Real_Value" for the handling type, that the Password is injected from the IAG internal database but I can't see how to define which repository it is taken from - is it the local username/password, the AD username or the RADIUS details?

    Thanks


    The configuration as to which set of credentials, from which repository, should UAG use in order to perform SSO, is done in the UAG Management console, in the Application Properties window -> Authentication tab. This is where you instruct UAG to use one (or more) Authentication Servers. In your case, if you want UAG to use the AD creds for SSO, you need to enter only that repository in the Select authentication servers list.

    HTH,

     


    -Ran
    Thursday, June 23, 2011 5:17 AM

All replies

  • Hi Christian,

    Following the instructions on http://technet.microsoft.com/en-us/library/dd282925.aspx#BeforeYouBegin where the FormLogin.XML file needs the Application Type specified, and where http://blogs.technet.com/b/ben/archive/2010/01/23/custom-form-login-sso-how-to.aspx has a nice little screen capture showing where the Application Type is taken from - there is a conflict of explination.

    On the TechNet site, it specifies a warning note "The application type must be alphanumeric, without spaces and without punctuation marks. It is recommended that the name is significant so that it can be easily identified." - but the application type I want to do the Form Login for is "Generic Browser-Embedded Application (multiple servers) and this is under the category "Browser-Embedded" - what do I enter into the <APPLICATION_TYPE> definition? I can't edit it within the UAG management interface, and I can't create a new one like I could with an "Other Web Application".

    For a Generic Browser-Embedded Application (multiple servers) application, in your custom FormLogin.xml enter this application type: GenericWebRelayMulti


    Secondly, according to http://technet.microsoft.com/en-us/library/dd282925.aspx - there is clear definition on what all parameters mean, except <DEF_VALUE>, which seem to be used in different formats on various different blogs and 'how to' sites, and even within the existing FormLogin.xml file - can anyone point me to a definition of what these variables contain, what the correct syntax is and how they are used, so I can do this properly?

    whaleusr, usr, user, username, siteusr, siteuser, whlusr, pass, whlpass, password - it seems to be a complete mix and I don't know which one to use!



    The <DEF_VALUE> element can contain any string that you wish, pretty much free text. This is why you 're seeing a mix of different strings used for this element, like whaleusr, usr, siteuser, pass, etc.

    This value, as mentioned in the TechNet article that you refer to, is the value that the UAG will place into the form, when sending it to the client browser, when the <CONTROL> handling attribute is set to "dummy_value".

     

    Description
    Used as the control’s default value, which is sent to the endpoint browser, for the following controls:

    • When the handling attribute of the <CONTROL> element is defined as “dummy_value”.

    • When the handling attribute of the <CONTROL> element is defined as “conf_default”, and the Form authentication engine cannot retrieve a value from IAG’s internal credentials database.

      noteNote:

      Although the default value is not used for controls where the handling attribute value is “real_value” or “app_default”, for compatibility reasons, a <DEF_VALUE> element must be defined for all controls


    -Ran
    Wednesday, June 22, 2011 3:57 PM
  • For a Generic Browser-Embedded Application (multiple servers) application, in your custom FormLogin.xml enter this application type:GenericWebRelayMulti

    Thanks for that - is there a location that defines what all the application type variables are? I would never have guessed to use "Web Relay"

     

    The <DEF_VALUE> element can contain any string that you wish, pretty much free text.

    Thanks for the reply, but it has not answered my question - behaps I did not word it properly. Our authentication uses two Authentication Repositories, and so the content of "password" could be two different values, one from our AD and the other from our RADIUS challenge - how do I specify/define which password gets injected into the form for my "GenericWebRelayMulti" application? 

    I can see that if we specify "Real_Value" for the handling type, that the Password is injected from the IAG internal database but I can't see how to define which repository it is taken from - is it the local username/password, the AD username or the RADIUS details?

    Thanks

    Wednesday, June 22, 2011 11:25 PM
  • Hi Christian,

    For a Generic Browser-Embedded Application (multiple servers) application, in your custom FormLogin.xml enter this application type:GenericWebRelayMulti

    Thanks for that - is there a location that defines what all the application type variables are? I would never have guessed to use "Web Relay"

     Yes, the location is ...\Program Files\Microsoft Forefront Unified Access Gateway\von\Conf\WizardDefaults\WizardDefaultParam.ini (NOTE: please do not make changes to this file!)

    The <DEF_VALUE> element can contain any string that you wish, pretty much free text.

    Thanks for the reply, but it has not answered my question - behaps I did not word it properly. Our authentication uses two Authentication Repositories, and so the content of "password" could be two different values, one from our AD and the other from our RADIUS challenge - how do I specify/define which password gets injected into the form for my "GenericWebRelayMulti" application? 

    I can see that if we specify "Real_Value" for the handling type, that the Password is injected from the IAG internal database but I can't see how to define which repository it is taken from - is it the local username/password, the AD username or the RADIUS details?

    Thanks


    The configuration as to which set of credentials, from which repository, should UAG use in order to perform SSO, is done in the UAG Management console, in the Application Properties window -> Authentication tab. This is where you instruct UAG to use one (or more) Authentication Servers. In your case, if you want UAG to use the AD creds for SSO, you need to enter only that repository in the Select authentication servers list.

    HTH,

     


    -Ran
    Thursday, June 23, 2011 5:17 AM
  •  Yes, the location is ...\Program Files\Microsoft Forefront Unified Access Gateway\von\Conf\WizardDefaults\WizardDefaultParam.ini (NOTE: please do not make changes to this file!)
    Thanks - very helpful to know
    The configuration as to which set of credentials, from which repository, should UAG use in order to perform SSO, is done in the UAG Management console, in the Application Properties window -> Authentication tab. This is where you instruct UAG to use one (or more) Authentication Servers. In your case, if you want UAG to use the AD creds for SSO, you need to enter only that repository in the Select authentication servers list.
    HTH,

    That's great. I've noticed that SSO allows options of 401, HTML form and Both - should I choose HTML form then?

    You are really helping, but I think my particular app is giving me more problems - I would like to see what is entered into the form, so how do I prevent autosubmit for it? I tried specifying a autosubmit.js file that does not exist.

    My form seems to perform some logic during login that is taking the entered username and then creating a new variable that is the username plus the result from a drop-down box so it becomes   username@environment.

    I have worked out how to do this with the <processing_side>client  option, but would I need to create my own code for generating the concantinated value? If you could let me know where I should put the file - I imagine it would be an .inc file. If I could see what was being generated by the FormLogin.xml file, it would give me a lot of help.

    Where can I customise the error page that is displayed - at the moment when the form is submitted (and fails because of these extra variables that are missing) I get an error that my browser is not supported, I would like to be able to customise this - where are the error pages generated from? The second time I try to access the site, I get the login form, but that is because I have <Multiple_login> set to false.

    Thanks

    Thursday, June 23, 2011 5:59 AM
  • Hi again,

    Glad to hear you're making progress!

     

    That's great. I've noticed that SSO allows options of 401, HTML form and Both - should I choose HTML form then?

    Yes, you should definitely choose HTML Form or Both to instruct UAG to use its form authentication engine and your custom FormLogin.xml file.

     

    You are really helping, but I think my particular app is giving me more problems - I would like to see what is entered into the form, so how do I prevent autosubmit for it? I tried specifying a autosubmit.js file that does not exist.

    You have several option to see what UAG does with the form, when it sends it to the client:

    a) install and use a tool like Fiddler2 on the client machine, so that you can see the HTTP traffic between the browser and UAG

    b) on the UAG server, you can configure a custom "autosubmit.js" which does nothing, so that the form will remain displayed in the browser (pretty close to what you though of doing, configuring an inexistent autosubmit.js. But I would not do that, since not finding a file might throw UAG off as an error). See the section named Creating a Stand-Alone Custom “autosubmit” Script, here: http://technet.microsoft.com/en-us/library/dd282925.aspx#AutosubmitScript 

     

    My form seems to perform some logic during login that is taking the entered username and then creating a new variable that is the username plus the result from a drop-down box so it becomes   username@environment.

    I have worked out how to do this with the <processing_side>client  option, but would I need to create my own code for generating the concantinated value? If you could let me know where I should put the file - I imagine it would be an .inc file. If I could see what was being generated by the FormLogin.xml file, it would give me a lot of help.

    I don't think that you need to create your own code for generating whatever it is that the form generates on the client side, since... the form already contains that code and that logic, and you do not need to change it. The only thing that you need to do is configure UAG to filll the form with the real credentials (using the handling="real_value" attribute), so that those values get to the browser and can then be processed by the form, using whatever logic that it has.

    Another thing: you mention that the form includes a drop-down, so this means that the end-user is required to take some action and select a specific value from that drop-down. This means that UAG should not inject into the form the autosubmit script, since you want the browser to wait for the end-user's selection. In that case, please see my recommendation above for creating a custom autosubmit.js that does not do anything.

     

    Where can I customise the error page that is displayed - at the moment when the form is submitted (and fails because of these extra variables that are missing) I get an error that my browser is not supported, I would like to be able to customise this - where are the error pages generated from? The second time I try to access the site, I get the login form, but that is because I have <Multiple_login> set to false.

    Thanks


    The UAG error page is just one HTML that is used for many different scenarios and error messages, so I don't think you want to customize it.  Also, if you solve your other problems discussed here, this may not be needed anyway.

    Just as an FYI of where the list of "supported browsers" is located, for the UAG form authentication engine: this is the  ...\Program Files\Microsoft Forefront Unified Access Gateway\von\Conf\FormLoginDataDefinition.ini file (NOTE: as always, please do not make changes to this file! You probably learned that by now, since I keep saying it :) )

    Regards,


    -Ran
    Thursday, June 23, 2011 7:11 AM