locked
UAG Client Certificate Authentication - SSO to backend FBA Application RRS feed

  • Question

  • I have UAG configured for client certificate authentication to a Netscape "repository" / ldap directory.  Authentication to the UAG portal mapping subjectCN works great an access to the portal is perfect.

    The backend application "SharePoint2007" is where I am having some issues.  I am able to configure SP 2007 using FBA LDAP Provider and I can get to the basic FBA login page - if I provide the correct credentials for an LDAP user "assuming I have already modified the SP Web Policy and granted the ldap user full rights" I can login just fine.

    What I am trying to achieve is a complete end to end certificate authentication scheme, where the UAG Portal prompts for cert, and then back end app will somehow "grab" the authentication token and pass it through to the SharePoint portal without being prompted for FBA

    The documentation on UAG is pretty good but I haven't seen any examples of this type of authentication.  I know you can do this if everything was Active Directory - but unfortunatley, we live in a world of 3rd party providers and my customer is using a 3rd party LDAP.

    I have absolutely no development skills "mainly infrastructure" - so I am at a stand still on figuring this one out.  I have looked at a couple of blogs and it mentions modifying formslogin.xml.  That works but it requires me to have the main UAG Portal as Forms Based as well and not Client Certificate Auth based.  If I use forms based portal, it passes through the authentication to the backed FBA SharePoint app just fine in a "SSO" type of way even though there are scripts "clicking" the submit button and feeding the username / pass, but I am not looking for that.

    Tuesday, November 30, 2010 6:27 AM

Answers

  • With something like RSA SecurID, you can combine RSA SecurID credentials and "other" credentials (for example AD or LDAP). This is achieved using a single form that requires both sets of credentials. This allows for 2FA to be enforced, but also allows for SSO to backend apps using the "other" credentials.

    I realise this don't quite work for you, but combining 2FA with SSO is possible in certain scenarios; RSA being one I have used many times...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Monday, December 27, 2010 11:40 PM
    Thursday, December 2, 2010 9:32 AM

All replies

  • Hi Amig@. For UAG to delegate credentials (SSO) is mandatory that UAG Knows the credentials. This means that to fulfill the FBA that SharePoint is presenting, UAG must know the username and the password of the user. When you set the portal to forms authentication, the user writes the user/psswd and UAG can fulfill the SharePoint FBA with that info. When you set the portal to cert authentication, UAG does no know the user/pass so it cannot fulfill the SharePoint form. The only way to do this is to configure SharePoint for Kerberos authentication and use Kerberos Constrained Delegation in UAG. Other option is to keep the user/password at an alternative -secured- location and set the UAG to retrieve that credentials after logon and use them to fulfill the SharePoint form

    Hope it helps 


    // Raúl - I love this game
    Tuesday, November 30, 2010 11:04 AM
  • Thanks Raul - unfortunatley - this will not work for me as KCD requires users to be part of the same DOMAIN as UAG and the application.  These users are in LDAP 3rd party directory, not AD.
    Tuesday, November 30, 2010 5:04 PM
  • Hi Amig@. You could try the other alternative. Is it possible to retrieve username/password from that repository?
    // Raúl - I love this game
    Tuesday, November 30, 2010 5:32 PM
  • So, for testing purposes, the LDAP user account that I am testing with does have a password.  But - ALL other users in the LDAP directory do not have passwords nor do they even have the userPassword ldap attribute listed within their ldap properties.

    Wednesday, December 1, 2010 6:55 AM
  • So, the FBA of SharePoint does not authenticate against that LDAP repository. How does SharePoint authenticate the users?

    Regards


    // Raúl - I love this game
    Wednesday, December 1, 2010 3:45 PM
  • SharePoint is configured to authenticate against ldap.  The problem is that users during the "front end authentication" with UAG use a certifcate in which UAG maps the subjectCN to the cn within LDAP granting them access to the UAG Portal Landing page.  Once there, users have the ability to click on the sharepoint application that is published on the trunk.  When they click the sharepoint 2007 application, UAG passes the subjectCN to the user name field within the sharepoint FBA, but SharePoint fails to authenticate against LDAP at that point because the password is not provided nor is it stored in the cookie "obviously".  I am trying to have an SSO type of effect with UAG passing an already "front end authenticated" user to a backend application without having the backend application prompt for another set of credentials.

    I see very little value in the ability to authenticate users to multiple directories during the front end authentication within UAG if there is no mechanism that can pass through the valid authentication session to a backend app.  This works just fine with AD... no issues there, but for secure environments that want to use two factor authentication against a 3rd party ldap provider, the front end authentication works fine, but backend will always require a user to have some other credential.  Of course, this can probably be solved using custom auth provider, or code, but the impression my customer got was "UAG can authenticate to many authentication stores and provide SSO capabilities to your applications"  In reality, it is "UAG can do all of that, but your app must also authenticate if you are using two factor or you have to use forms auth both at the front end and backend.  Forms auth both front and backend do work against LDAP or Active Directory, but again, forms require username and password.  This does not work when using client certificates unless you are using AD and KCD. 

    Hope that helps you understand my situation better.

    Thursday, December 2, 2010 6:52 AM
  • With something like RSA SecurID, you can combine RSA SecurID credentials and "other" credentials (for example AD or LDAP). This is achieved using a single form that requires both sets of credentials. This allows for 2FA to be enforced, but also allows for SSO to backend apps using the "other" credentials.

    I realise this don't quite work for you, but combining 2FA with SSO is possible in certain scenarios; RSA being one I have used many times...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Monday, December 27, 2010 11:40 PM
    Thursday, December 2, 2010 9:32 AM
  • Hi Jason

    What other 2FA with SSO have you found to work, like adminb29 I would like to use client certificates as the other credential, i.e have user/pass against AD and client - certificate. Would like to use certificates rather than RSA (for cost reasons), backend app is SharePoint 2007.

    rgds

    Paul

    Sunday, January 16, 2011 7:54 PM
  • Hi Paul,

    For SharePoint, you should be able to use client certificate authN combined with KCD to provide SSO.

    http://technet.microsoft.com/en-us/library/ee690451.aspx

    http://technet.microsoft.com/en-us/library/ee690467.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Sunday, January 16, 2011 9:17 PM