locked
UAG single sign on using two factor authenication RRS feed

  • Question

  • Hello we use a product/ system called asas from authenex.  They are event based thus every time you sign in and next time you wish you sign in you will need the next event key.
    (http://www.authenex.com/authenex-products/asas-system.html)

    The system will use radius authentication on the portal truck and we have this part of it working.

    The question now is what will be passed to the applications behind the portal when we use single sign on.

    Some of the application for example (Outlook Web Access, remote desktop) will use integrated windows authentication some will use LDAP authentication. (Moodle, Joombla)

    What username password combination will be passed to the the website/Application.

    What we would want passed would probably only be the Domain User name and Domain password.

    We do not want to have to have users sign in twice to get to outlook web access or Moodle.

    Can you control which details get passed.

    After reading this page
    http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_cid391596,00.html

    ---------------
    Novell takes a different approach. All applications still have their own usernames and passwords, but they are stored in what they call SecretStore. According to their Web site , "Once you authenticate to NDS, SecretStore automatically collects and encrypts your application passwords the first time you use them. When you next attempt to use an application, the application's client will try to verify that you are authenticated to NDS. If NDS responds that you are authenticated, the client requests your application password from the SecretStore. NDS retrieves your encrypted password from the SecretStore and sends it to your workstation, where it is decrypted and used to give you access to the desired application. This entire process takes only seconds and is completely transparent: Once you authenticate to NDS, Single Sign-on manages the rest of your logon processes."
    ----------

    i see that Novell keeps a SecretStore thus you could even use a different naming convention and it would work.  (IE the truck could use firstname.lastname) and the applications inside could use lastname.firstname upon signing in the first time it would record in the secret store the username and passwords assocated with that application.

    If you changed the pasword or username it would ask one time and save them again.

    Michael.



     

    Wednesday, October 14, 2009 6:08 PM

Answers

  • Michael,

    Let's say you set two factor authentication:

    The First is:  Windows Active Directory (Username1) (Password
    The Second is: Authenex (Username1) (Random PIN Number)

    The user at the login page will type in Username/ AD Password and Random PIN Number

    After the user is authenticated successfully, they are presented with a list of applications. 

    For example:  OWA,  under the "web settings" tab, you will only need to put in the Windows AD under authentication servers.

    IAG will then only pass the AD credentials, and therefore successfully have Single Sign On to OWA>


    Hope this helps.
    Dennis

    • Marked as answer by Erez Benari Friday, October 16, 2009 10:49 PM
    Thursday, October 15, 2009 2:34 AM

All replies

  • Michael,

    Let's say you set two factor authentication:

    The First is:  Windows Active Directory (Username1) (Password
    The Second is: Authenex (Username1) (Random PIN Number)

    The user at the login page will type in Username/ AD Password and Random PIN Number

    After the user is authenticated successfully, they are presented with a list of applications. 

    For example:  OWA,  under the "web settings" tab, you will only need to put in the Windows AD under authentication servers.

    IAG will then only pass the AD credentials, and therefore successfully have Single Sign On to OWA>


    Hope this helps.
    Dennis

    • Marked as answer by Erez Benari Friday, October 16, 2009 10:49 PM
    Thursday, October 15, 2009 2:34 AM
  • Hi, given that a requirement would be OTP. Is it possible at the portal page to have a 'Username' box , 'AD password' box, and a 'OTP password' box. The user would enter their username and AD password and AD password+OTP and login.

    If above is possible. How does UAG know how what credentials to use for SSO ?

    jason
    Tuesday, October 20, 2009 10:13 PM
  • Hi Amigo. Dennis answered that in the previous reply. In UAG you define different authenticaction repositories. One for AD and another one for the OTP. The trunk is configured to force the user to authenticate to both repositories. UAG keeps in memory the pairs username/password for both repositories. In the definition of the published web app you select the repository to use for the sso so so you are telling UAG what pair username/password pair to be forwarded.

    Hope it helps
    // Raúl - I love this game
    Wednesday, October 21, 2009 10:47 AM
  • Hi, thank you for the reply. Is there any documentation that would explain on how to configure the given scenerio?

    jason
    Thursday, October 22, 2009 4:17 AM