locked
Single Sign On (SSO) not working for Web Applications RRS feed

  • Question

  • I'm publishing several web based applications through UAG Eval version, and am having troubles getting the single sign on feature to work.

    One is Domino web mail, and the other is Citrix Nfuse release 4.  In IAG both of these were predefined application types and worked without issue.  We could create the application, check the box for "use single sign-on to send credentials to published applications" select the proper authentication server, and be off and running, the user logged into the portal, clicked the link, and was straight into the application.

    I'm using the "Other Web Application (portal hostname)" Application type to try to recreate these two previously built in apps, and am filling in all the required fields, the pages work fine, however instead of using single sign-on, the users is prompted to reenter their credentials.  I've verified multiple times that the correct authorization servers are selected, and the client machines have the UAG client components installed correctly.  It appears that even though we enable/select the option, the single sign-on is not even being attempted.

    Any insight on suggestions on how to remedy the problem would be greatly appreciated.  Thanks.

    Monday, January 11, 2010 4:18 PM

Answers

  • kfyhr,

    Its actually going to be more than just SSO that you'll find is not working.  In IAG (and UAG) an application template also holds not only definitions for FormLogin, but also for Appwrap and SRA templates to fix application specific issues, for URL rulesets, for download/upload/ignore URL's, default startup script calls, etc.

    Its basically gonna be a small project to re-create all these settings, or more likely copy them from an IAG and massage them into the right format.  If you end up needing help with this project, please consider MBR Security.  (contact me via www.mbrsecurity.com)   I'm a former Whale/Microsoft guy (2002-2007) and have been 100% dedicated to the product since 2002.   Note that we can optionally also help you choose from among the various UAG appliance options and are currently an appliance reseller for Celestix, Portcullis, & nAppliance; which are the 3 which have any serious sales history and experience of integrating the product under IAG.   We also do consulting only gigs on exiting appliances (IAG/e-Gap/UAG) or IAG/UAG VHD, or UAG software only.

    Thanks,
    Mark
    • Marked as answer by Erez Benari Tuesday, January 12, 2010 8:05 PM
    Monday, January 11, 2010 9:10 PM

All replies

  • Hi,

    Since, as you have noticed, some of the out-of-the-box applications that existed in IAG do not exist in UAG, you need to configure UAG how to perform SSO to backend apps that use FBA (form-based authentication). In IAG, these configurations existed for those specific apps, but in UAG, you have to create these configuration settings yourself.

    Take a look at this link: http://technet.microsoft.com/en-us/library/dd282925.aspx (it is from the IAG TechNet documentation, but it also applies to UAG).

    HTH,
    -Ran
    Monday, January 11, 2010 8:25 PM
  • kfyhr,

    Its actually going to be more than just SSO that you'll find is not working.  In IAG (and UAG) an application template also holds not only definitions for FormLogin, but also for Appwrap and SRA templates to fix application specific issues, for URL rulesets, for download/upload/ignore URL's, default startup script calls, etc.

    Its basically gonna be a small project to re-create all these settings, or more likely copy them from an IAG and massage them into the right format.  If you end up needing help with this project, please consider MBR Security.  (contact me via www.mbrsecurity.com)   I'm a former Whale/Microsoft guy (2002-2007) and have been 100% dedicated to the product since 2002.   Note that we can optionally also help you choose from among the various UAG appliance options and are currently an appliance reseller for Celestix, Portcullis, & nAppliance; which are the 3 which have any serious sales history and experience of integrating the product under IAG.   We also do consulting only gigs on exiting appliances (IAG/e-Gap/UAG) or IAG/UAG VHD, or UAG software only.

    Thanks,
    Mark
    • Marked as answer by Erez Benari Tuesday, January 12, 2010 8:05 PM
    Monday, January 11, 2010 9:10 PM