Access Policy Manager Single Sign-On Configuration … · Task summary for configuring web application over network ... the access profile using SSO ... Sign-On configuration object

BIG-IP® Access Policy Manager® SingleSign-On Configuration Guide

Version 11.3

Table of Contents

Legal Notices.....................................................................................................................................5

Chapter 1: Configuring Single Sign-On with Access Policy Manager..............7What is Single Sign-On?..........................................................................................................8

Chapter 2: Single Sign-On Methods....................................................................9What are the supported SSO methods?................................................................................10

About the Single Sign-On configuration object............................................................10

Creating an HTTP Basic SSO configuration..........................................................................11

HTTP Basic SSO configuration settings .....................................................................11

Creating an HTTP forms-based SSO configuration...............................................................12

HTTP Form SSO configuration settings......................................................................12

Creating an NTLMV1 SSO configuration...............................................................................14

NTLMV1 SSO configuration settings ..........................................................................14

Creating an NTLMV2 SSO configuration...............................................................................15

NTLMV2 SSO configuration settings ..........................................................................16

Chapter 3: Form-Based Client-Initiated Single Sign-On Method.....................17About form-based client-initiated SSO authentication............................................................18

Basic configuration of form-based client-initiated SSO ..............................................18

How does form-based client-initiated SSO authentication work by default? ..............18

About advanced configuration options for form-based client-initiated SSO authentication.19

Configuring form-based client-initiated SSO..........................................................................20

Forms-based client-initiated SSO configuration settings.............................................21

Form-based client-initiated SSO configuration examples.......................................................24

DWA form-based client-initiated SSO example...........................................................24

Bugzilla form-based client-initiated SSO example.......................................................25

Ceridian form-based client-initiated SSO example......................................................25

Citrix 4.5 and 5 form-based client-initiated SSO example...........................................27

Devcentral form-based client-initiated SSO example..................................................28

Google form-based client-initiated SSO example........................................................29

Oracle Application Server form-based client-initiated SSO example...........................30

OWA 2010 and 2007 form-based client-initiated SSO example..................................30

OWA 2003 form-based client-initiated SSO example..................................................31

Perforce form-based client-initiated SSO example......................................................31

Reviewboard form-based client-initiated SSO example...............................................32

SAP form-based client-initiated SSO example............................................................32

Salesforce form-based client-initiated SSO example..................................................33

3

Table of Contents

Sharepoint 2010 form-based client-initiated SSO example.........................................34

Weblogin form-based client-initiated SSO example....................................................35

Yahoo form-based client-initiated SSO example.........................................................36

Chapter 4: Kerberos Single Sign-On Method....................................................39About Kerberos SSO..............................................................................................................40

How does Kerberos SSO work in Access Policy Manager?...................................................40

Task summary for configuring Kerberos SSO........................................................................41

Setting up a delegation account to support Kerberos SSO.........................................41

Creating a Kerberos SSO configuration in APM..........................................................42

Editing an access policy to support Kerberos SSO.....................................................42

Binding a Kerberos SSO object to an access profile...................................................43

Attaching an access profile to a virtual server for Kerberos SSO................................43

Kerberos SSO configuration settings ....................................................................................43

Kerberos SSO session variable list........................................................................................46

Tips for successfully deploying Kerberos SSO.......................................................................46

Chapter 5: Single Sign-On and Multi-Domain Support....................................49About multi-domain support for SSO......................................................................................50

How does multi-domain support work for SSO?....................................................................50

Task summary for configuring domain support for SSO.........................................................52

Configuring an access policy for SSO single domain support.....................................52

Configuring an access policy for SSO multi-domain support......................................53

Creating a virtual server for SSO multi-domain support..............................................53

Chapter 6: Common Deployment Examples for Single Sign-On.....................55Common use cases for Single Sign-On deployment..............................................................56

Task summary for configuring web application over network access tunnel for SSO............56

Configuring network access for SSO with web applications........................................56

Configuring network access properties.......................................................................57

Configuring and managing the access profile using SSO...........................................57

Configuring an HTTP virtual server for the network access........................................57

Configuring a layered virtual server for your web service............................................58

Configuring portal access resources for SSO ............................................................58

Acknowledgments..........................................................................................................................61

4

Table of Contents

Legal Notices

Publication Date

This document was published on November 15, 2012.

Publication Number

MAN-0363-03

Copyright

Copyright © 2012, F5 Networks, Inc. All rights reserved.

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumesno responsibility for the use of this information, nor any infringement of patents or other rights of thirdparties which may result from its use. No license is granted by implication or otherwise under any patent,copyright, or other intellectual property right of F5 except as specifically described by applicable userlicenses. F5 reserves the right to change specifications at any time without notice.

Trademarks

Access Policy Manager, Advanced Client Authentication, Advanced Routing, APM, Application SecurityManager, ARX, AskF5, ASM, BIG-IP, BIG-IQ, Cloud Extender, CloudFucious, Cloud Manager, ClusteredMultiprocessing, CMP, COHESION, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express,DSC, DSI, Edge Client, Edge Gateway, Edge Portal, ELEVATE, EM, Enterprise Manager, ENGAGE, F5,F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass,Global Traffic Manager, GTM, GUARDIAN, IBR, Intelligent Browser Referencing, Intelligent Compression,IPv6 Gateway, iApps, iControl, iHealth, iQuery, iRules, iRules OnDemand, iSession, L7 Rate Shaping,LC, Link Controller, Local Traffic Manager, LTM, Message Security Manager, MSM, OneConnect,OpenBloX, OpenBloX [DESIGN], Packet Velocity, Policy Enforcement Manager, PEM, Protocol SecurityManager, PSM, Real Traffic Policy Builder, Rosetta Diameter Gateway, ScaleN, Signaling DeliveryController, SDC, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, TrafficManagement Operating System, Traffix Diameter Load Balancer, Traffix Systems, Traffix Systems(DESIGN), Transparent Data Reduction, UNITY, VAULT, VIPRION, vCMP, virtual ClusteredMultiprocessing, WA, WAN Optimization Manager, WebAccelerator, WOM, and ZoneRunner, aretrademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be usedwithout F5's express written consent.

All other product and company names herein may be trademarks of their respective owners.

Patents

This product may be protected by U.S. Patent 7,114,180; 8,301,837. This list is believed to be current asof November 15, 2012.

This product may be protected by U.S. Patent 6,311,278. This list is believed to be current as of November15, 2012.

This product may be protected by U.S. Patents 6,374,300; 6,473,802; 6,970,733; 7,047,301; 7,707,289.This list is believed to be current as of November 15, 2012.

This product may be protected by U.S. Patents 6,327,242; 6,374,300; 6,473,802; 6,970,733; 7,051,126;7,102,996; 7,197,661; 7,287,084; 7,916,728; 7,916,730; 7,783,781; 7,774,484; 7,975,025; 7,996,886;

8,004,971; 8,010,668; 8,024,483; 8,103,770; 8,103,809; 8,108,554; 8,112,491; 8,150,957. This list is believedto be current as of November 15, 2012.

This product may be protected by U.S. Patents 6,640,240; 6,772,203; 6,970,733. This list is believed to becurrent as of November 15, 2012.

This product may be protected by U.S. Patents 7,126,955; 7,286,476; 7,882,084; 8,121,117. This list isbelieved to be current as of November 15, 2012.

This product may be protected by U.S. Patents 7,877,511; 7,958,347. This list is believed to be current asof November 15, 2012.

Patents

This product may be protected by U.S. Patents 6,374,300; 6,473,802; 6,970,733; 7,197,661; 7,287,084;7,975,025; 7,996,886; 8,004,971; 8,010,668; 8,024,483; 8,103,770; 8,108,554; 8,150,957. This list is believedto be current as of November 15, 2012.

Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United Statesgovernment may consider it a criminal offense to export this product from the United States.

RF Interference Warning

This is a Class A product. In a domestic environment this product may cause radio interference, in whichcase the user may be required to take adequate measures.

FCC Compliance

This equipment has been tested and found to comply with the limits for a Class A digital device pursuantto Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmfulinterference when the equipment is operated in a commercial environment. This unit generates, uses, andcan radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,may cause harmful interference to radio communications. Operation of this equipment in a residential areais likely to cause harmful interference, in which case the user, at his own expense, will be required to takewhatever measures may be required to correct the interference.

Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authorityto operate this equipment under part 15 of the FCC rules.

Canadian Regulatory Compliance

This Class A digital apparatus complies with Canadian ICES-003.

Standards Compliance

This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable toInformation Technology products at the time of manufacture.

6

Legal Notices

Chapter

1

Configuring Single Sign-On with Access Policy Manager

Topics:

• What is Single Sign-On?

What is Single Sign-On?

Access Policy Manager® provides a Single Sign-On (SSO) feature that leverages the credential caching andcredential proxying technology.

Credential caching and proxying is a two-phase security approach that asks users to enter their credentialsonce to access their secured web applications. By leveraging this technology, users request access to thesecured back-end web server. After that occurs, Access Policy Manager creates a user session and collectsthe user identity based on the access policy. When the access policy completes successfully, the user identityis saved (cached) in a session database. Access Policy Manager subsequently reuses the cached identity toseamlessly log the user into the secured web applications, thus providing the user with a single sign-onexperience.

The Single Sign-On (SSO) feature provides the following benefits:

• Eliminates the need to administer and maintain multiple user logins• Eliminates the need for users to enter their credentials multiple times.

8

Configuring Single Sign-On with Access Policy Manager

Chapter

2

Single Sign-On Methods

Topics:

• What are the supported SSO methods?• Creating an HTTP Basic SSO configuration• Creating an HTTP forms-based SSO

configuration• Creating an NTLMV1 SSO configuration• Creating an NTLMV2 SSO configuration

What are the supported SSO methods?

Access Policy Manager® supports the following SSO authentication methods.

DescriptionSSO method

Access Policy Manager uses the cached user identity and sends the request withthe authorization header. This header contains the token Basic and thebase64-encoded for the user name, colon, and the password.

HTTP Basic

Upon detection of the start URL match, Access Policy Manager uses the cacheduser identity to construct and send the HTTP form-based post request on behalfof the user.

HTTP Forms

Upon detection of the request for logon page (URI, header, or cookie that isconfigured for matching the request), Access Policy Manager generates

HTTP Forms - ClientInitiated

JavaScript code, inserts it into the logon page and returns the logon page to theclient, where it is automatically submitted by inserted JavaScript. APM™

processes the submission and uses the cached user identity to construct and sendthe HTTP form-based post request on behalf of the user.

NTLM employs a challenge-response mechanism for authentication, where theusers can prove their identities without sending a password to the server.

HTTP NTLM Auth v1

NTLM employs a challenge-response mechanism for authentication, where theusers can prove their identities without sending a password to the server. Thisversion of NTLM is an updated version from NTLM v1.

HTTP NTLM Auth v2

This provides transparent authentication of users to Windows Web applicationservers (IIS) joined to Active Directory domain. It is used when IIS servers

Kerberos

request Kerberos authentication; this SSO mechanism allows the user to get aKerberos ticket and have Access Policy Manager present it transparently to theIIS application.

A SAML IdP service is a type of single sign-on (SSO) authentication service inAccess Policy Manager that provides SSO authentication for external SAML

SAML

service providers (SPs). You configure a SAML IdP service when you use aBIG-IP system as a SAML identity provider (IdP).

About the Single Sign-On configuration object

Access Policy Manager supports various SSO methods. Each method contains a number of attributes thatyou need to configure properly to support SSO.

Mis-configuring SSO objects for any of these authentication methods (HTTP Basic, NTLM v1 and v2, andKerberos) could disable SSO for all authentication methods for a user's session when the user accesses aresource with the mis-configured object. The exceptions are Forms and Forms - Client Initiated, which arethe only SSO methods that are not disabled when any other method fails due to a mis-configured SSOobject.

10


Creating an HTTP Basic SSO configuration

With the HTTP Basic method of authentication, the SSO plug-in uses the cached user identity and sendsthe request with the authorization header. This header contains the Basic token and the base64-encoding ofthe user name, colon, and the password.

1. On the Main tab, click Access Policy > SSO Configurations > HTTP Basic.The SSO Configurations screen opens for HTTP Basic type.

2. Click Create.The New SSO Configuration screen opens.

3. In the Name field, type a name for the SSO configuration.

4. In the Credentials Source area, specify the credentials that you want cached for Single Sign-On.

5. In the SSO Method Configuration area, specify the relevant settings.

6. Click Finished.

HTTP Basic SSO configuration settingsThese settings are available when you create an HTTP Basic SSO configuration.

General Properties settings for HTTP Basic SSO configuration

Additional InformationValueSetting

Additional settings are available when you selectAdvanced.

Basic or Advanced. Defaultsto Basic.

GeneralProperties

The name must begin with a letter, or underscore, andcontain only letters, numbers, underscores, dashes, and

Name of the SSOconfiguration.

Name

periods. Avoid using global reserved words in thename, such as all, delete, disable, enable, help, list,none, show, or None.

Available when you select Advanced from the GeneralProperties list.

Header name-value pairs tosend with the SSO method.

Headers

Credentials Source settings for HTTP Basic SSO configuration


Supported session variable:session.sso.token.last.username

Specifies the user name to cache for singlesign-on. Defaults to a session variable.

Username Source

Supported session variable:session.sso.token.last.password

Specifies the password to cache for singlesign-on. Defaults to a session variable.

Password Source

11

BIG-IP® Access Policy Manager® Single Sign-On Configuration Guide

SSO configuration settings for HTTP Basic SSO configuration


Select the check box to convert the PREWIN2k/UPN username input format to the format you want to use for SSO.

This check box is clearby default.

UsernameConversion

For example, convert domain\username orusername@domain to username.

Creating an HTTP forms-based SSO configuration

With the HTTP forms method of authentication, upon detection of the start URL match, the SSO plug-inuses the cached user identity to construct and send the HTTP form-based POST request on behalf of theuser.

1. On the Main tab, select Access Policy > SSO Configurations > Forms.The SSO Configurations screen opens for the form-based type.



4. From the Use SSO Template list, select the template you want to use.The screen refreshes to show additional settings applicable to the specific template.


6. If you selected None from the Use SSO Template list, fill in the relevant settings in the SSO MethodConfiguration area.

Otherwise, these settings are taken from the template that you selected.

7. Click Finished.

HTTP Form SSO configuration settingsThese settings are available when you create an HTTP form-based SSO configuration.

General Properties settings for HTTP form-based SSO configuration



Basic or Advanced.Defaults to Basic.

GeneralProperties



Name

periods. Avoid using global reserved words in the name,such as all, delete, disable, enable, help, list, none, show,or None.

If you select None, you must fill in the SSO MethodConfiguration area. Otherwise, the SSO Method

Use SSOTemplate

Configuration area is not available; settings are configuredwith data supplied by the template you select.

12



Available when you select Advanced from the GeneralProperties list.

Header name-value pairsto send with the SSOmethod.

Headers

Credentials Source settings for HTTP form-based SSO configuration




Username Source



Password Source

SSO configuration settings for HTTP form-based SSO configuration


Multiple start URI values in multiple lines can be enteredfor this attribute.

Supported session variable: start_uri

Defines the start URIvalue. HTTP form-basedauthentication executes forSSO if the HTTP request

Start URI

URI matches the start URIvalue.

If you select the Enablecheck box, cookies

Pass Through

presented in the formpropagate to the clientbrowser. Defaults tocleared.

If you specify GET, the SSO authentication method isan HTTP GET request.

Defines the SSOauthentication method :GET or POST. Defaults toPOST.

Form Method

For example,/access/oblix/apps/webgate/bin/webgate.dll.

Defines the form actionURL used for HTTP

Form Action

If left blank, the original request URL is used for SSOauthentication.

Supported session variable: form_action

authentication request forSSO.

For example, the user ID is specified as the attribute valueif the HTTP server expects the user name in the form ofuserid=.

Supported session variable: form_parameter

Defines the parametername of the logon username.

Form ParameterFor User Name

For example, Pass is specified as the attribute value ifthe HTTP server expects the password in the form ofPass.

Defines the name of thelogon password.

Form Parameterfor Password

13



Hidden parameters must be formatted as shown in thisexample:

param1 value1

param2 value2

Defines the hidden formparameters required by theauthentication server logonform at your location.

Hidden FormParameters/Values

Separate each parameter name and value by a space. Eachparameter must start on a new line.

Defines how Access PolicyManager detects whether

Successful LogonDetection MatchType

• None No check is made for authentication success.• By Resulting Redirect URL Authentication success

is checked for by examining the redirect URL fromthe user was successfullyauthenticated by the server.

the HTTP response. Multiple values can be specifiedfor this option.

Defaults to None. You canselect one option.

• By Presence Of Specific Cookie Authenticationsuccess is checked for by searching for the namedcookie in the response.

Supported session variable: success_match_value

Defines the value for thespecific success detection

Successful LogonDetection MatchValue type: the redirect URL or

cookie name.

Creating an NTLMV1 SSO configuration

The NTLM authentication method employs a challenge-response mechanism for authentication, where theusers can prove their identities without sending a password to a server.

1. On the Main tab, click Access Policy > SSO Configurations > NTLMV1.The SSO Configurations screen opens for the NTLMV1 type.


3. Specify all relevant parameters.

4. Click Finished.

NTLMV1 SSO configuration settingsThese configuration settings are available when you configure an NTLMV1 SSO method.

General Properties settings for NTLMV1 SSO configuration



Basic or Advanced. Defaultsto Basic .

GeneralProperties

14





Name


Displayed when you select Advanced from theGeneral Properties list.


Headers

Credentials Source settings for NTLMV1 SSO configuration




Username Source



Password Source

Supported session variable:session.logon.last.domain

Specifies the domain to cache for singlesign-on. Defaults to a session variable.

Domain Source

SSO configuration settings for NTLMV1 SSO configuration


Select the check box to convert thePREWIN2k/UPN user name input format to the

Check box is cleared by default.UsernameConversion

format you want to use for SSO. For example,convert domain\username orusername@domain to username.


Specifies the location of the domainwhere all users and groups areauthenticated. Defaults to a sessionvariable.

NTLM Domain

Creating an NTLMV2 SSO configuration

With this method of authentication, NTLM employs a challenge-response mechanism for authentication,where the users can prove their identities without sending a password to a server. This version of NTLMhas been updated from version 1.

1. On the Main tab, click Access Policy > SSO Configurations > NTLMV2.The SSO Configurations screen opens for the NTLMV2 type.




5. In the SSO Method Configuration area, specify the relevant settings.

15


6. Click Finished.

NTLMV2 SSO configuration settingsThese configuration settings are available when you configure an NTLMV2 SSO method.

General Properties settings for NTLMV2 SSO configuration




GeneralProperties



Name


Displayed when you select Advanced from theGeneral Properties list.


Headers

Credentials Source settings for NTLMV2 SSO configuration




Username Source



Password Source


Specifies the domain to cache for singlesign-on. Defaults to a session variable.

Domain Source

SSO configuration settings for NTLMV2 SSO configuration


Select the check box to convert thePREWIN2k/UPN user name input format to the

Check box is cleared by default.UsernameConversion

format you want to use for SSO. For example,convert domain\username orusername@domain to username.


Specifies the location of the domainwhere all users and groups areauthenticated. Defaults to a sessionvariable.

NTLM Domain

16


Chapter

3

Form-Based Client-Initiated Single Sign-On Method

Topics:

• About form-based client-initiated SSOauthentication

• Configuring form-based client-initiated SSO• Form-based client-initiated SSO

configuration examples

About form-based client-initiated SSO authentication

With the HTTP form-based client-initiated method of authentication, when Access Policy Manager® detectsthe request for a logon page (URI, header, or cookie that is configured for matching the request), APM™

generates JavaScript code, inserts it into the logon page, and returns the logon page to the client, where itis automatically submitted by the inserted JavaScript. APM processes the submission and uses the cacheduser identity to construct and send the HTTP form-based post request on behalf of the user.

Basic configuration of form-based client-initiated SSO

To create a form-based client-initiated SSO configuration object, you must configure at least one form andinclude at least one form parameter. A form parameter represents an input element on an HTML logonform, such as a form field for entering a user name or password, or, optionally, for entering a hidden formparameter.

Form-based client-initiated SSO configuration supports three sets of matching criteria that you can define.

• Form Detection (Required) Configures the SSO module to detect the HTTP request for the logon pageby matching the HTTP URI, header, or cookie that you specify, and supports entry of multiple URIs.Requires data that is specific to the application. Form detection is successful when the request matchesone of the configured items either partially or fully, depending on whether Request Prefix is enabled inAdvanced Properties .

• Form Identification (Optional) Specifies how to detect the form within the HTTP body of the logonpage. The default is form parameters, which enables identification of the logon form parameter fieldsbased on the values entered for the form parameters in the General Properties. Alternatively, you canspecify that the form be identified using other data present in the form, such as the ID, name, or actionattributes, or the form order.

• Logon Detection (Optional) Configures the SSO module to detect whether logon was successful bychecking for the presence of a cookie or a redirect URI. The default is None (logon detection is notperformed).

The majority of web applications have a single logon page with one logon form. You need to define a singleform for these applications. In less usual cases when an application has multiple logon pages with differentlogon forms, you need to create multiple forms, one for each logon page. If multiple logon pages use thesame form, you need only one form with a list of URIs for all logon pages.

How does form-based client-initiated SSO authentication work by default?

This figure illustrates the default behavior of the form-based client-initiated SSO authentication method.

18


Figure 1: Form-based client-initiated SSO default behavior

1. The user logs on to Access Policy Manager® and APM™ runs the access policy. This populates thesession variables with the user credentials.

2. The user requests the application logon page. This GET request is passed to the application web server,verbatim.

3. The application web server replies with 200 OK and serves the logon page.4. APM generates JavaScript and inserts it into the logon page before returning it to the user. The JavaScript

assigns values to form parameters, as specified in the form configuration. The password parameter isassigned a password token rather than the actual user password.

5. The JavaScript runs on the client side. The logon page is not displayed to the user; user input is lockedout. Without delay, the form is submitted using POST. The form parameters and their values, includinguser name and password token, are sent to APM.

6. APM then replaces the password token with the actual user password, as well as other form parametersspecified in the form configuration with their configured values.

7. The POST, along with the real user credentials from step 1, is sent to the web server.8. The application start page is served by the webserver, and sent to the client, verbatim. Optionally, APM

performs detection of successful logon by examining HTTP response headers, looking for a cookie orredirect Location URI.

About advanced configuration options for form-based client-initiated SSO authentication

You can change some aspects of the form-based client-initiated SSO default behavior by configuring optionalproperties.

19


• You can change the default properties for form request and form submittal using advanced properties.• You can change the automatically generated JavaScript code that is inserted into the logon page in one

of three ways using the JavaScript Insertion options. You can replace it completely with custom codeor add extra code to it by specifying the application JavaScript functions to call prior to submitting alogon form.

• You can configure the SSO module to automatically detect the application HTTP request that submitsuser credentials using Form Submit Detection. If you disable automatic detection, the SSO moduleinstead detects form submittal by using an HTTP header, cookie, or HTTP URIs that you specify.

Configuring form-based client-initiated SSO

You can use the form-based client-initiated SSO method to create form-based SSO configurations. Forexample, you can use this SSO method to support web applications that run JavaScript in the browser andneed to maintain application state during the login process. You can also use it to support web applicationsthat present multiple login screens.

1. On the Main tab, click Access Policy > SSO Configurations > Forms - Client Initiated.The Forms - Client Initiated screen for SSO configurations opens.

2. Click Create.A screen, Create New Forms-Client Initiated Configuration, opens.

3. In the SSO Configuration Name field, type a name.

4. Select Form Settings from the left pane.Fields in SSO Configuration displays in the right pane.

5. Click Create.

The Create button is not active until you complete they General Settings by typing a name for the SSOconfiguration.

Note: You must create at least one form to complete the SSO configuration.

The Create New Form Definition screen opens.

6. Type a name in the Form Name field.

7. Select Form Parameters from the left pane.Form Parameters displays in the right pane.

8. For each form parameter that you want to create, repeat these steps:

a) Click Create.The Create New Form Parameter screen opens.

b) In the Form Parameter Name field, type or select a name.c) In the Form Parameter Value field, type or select a value.d) Click OK.

The screen closes, showing the Create New Form Definition window, which displays the new formparameter.

9. Click Form Detection from the left pane.The right pane displays required fields.

10. From the Detect Form by list, select an option and type required data.

• URI Type a URI in the Request URI field.• Cookie Type a name in the Cookie Name field.

20


• Header Type a name in the Header Name field.

The OK button is available.

11. Click OK.

You can create another form next or you can save the configuration.

The new form is created. Its name displays on the Create New Forms-Client Initiated Configurationscreen.

12. Click OK.The screen closes, displaying the Forms - Client Initiated screen for SSO Configurations.

The new form-based client-initiated SSO configuration is available for use.

Forms-based client-initiated SSO configuration settingsThese settings are available when you create a form-based client-initiated SSO configuration.

General settings

DescriptionSetting

Specifies the name of the configuration. It must be unique.SSO Configuration Name

Specifies a description. Optional.SSO Description

Specifies at what level of details the system logs. Valid values arelisted. Defaults to Notice.

Log Level

Form settings

Table 1: General Properties

DescriptionSetting

Specifies the name of the form. It can be any name and need not matchthe actual name of the HTML form.

Form Name

Specifies an optional description of the form.Form Description

Table 2: Form Parameter Properties

DescriptionSetting

Specifies the name of a form parameter.Form Parameter Name

Specifies the value of the form parameter. This is usually the name ofa session variable. The value could also be a literal string or acombination of strings and session variable names.

Form Parameter Value

Note: If the session variable is not found when the SSO requestis processed, the value of the corresponding POST parameterwill be empty.

Specifies whether the parameter is secure. Defaults to No.Secure

21


Table 3: Form Detection

DescriptionSetting

Specifies which element of the HTTP request headers is used to identifythe application request for logon page: Cookie, Header, or URI.Defaults to URI.

Detect Form by

Specifies that the system identifies the form by the presence (default)or absence (configurable with Advanced Properties) of this cookie.

Cookie

Specifies that the system identifies the form by the presence (default)or absence (configurable with Advanced Properties) of a header.

Header

Specifies that the system identifies the form by a successful match(default) or failed match (configurable with Advanced Properties)against one or multiple URIs.

URI

Table 4: Form Identification

DescriptionSetting

Specifies how the HTML logon form is found in the HTML body ofthe logon page. If there is more than one form on the logon pagematching the criteria, the first match is used. Options are:

Identify Form by

• ID Attribute-Specifies that a form ID is used to find the form.• Name Attribute-Specifies that• Action Attribute-Specifies that• Form Order-Specifies that• Form Parameters (default)--Specifies that the form parameters,

which have already been defined, are used to find the form. Thereis nothing more to configure.

Specifies the form ID that is used to identify the form.Form ID

Specifies the specific form name.Form Name

Specifies the value of the action attribute.Form Action

Specifies the relative order of the form on the logon page (startingfrom 1).

Form Order

Table 5: Logon Detection

DescriptionSetting

Specifies whether and how to detect a successful logon. Options are:Detect Login by

• Presence of Cookie• Redirect URI• None (default)

Specifies the cookie name that identifies successful logon.Cookie Name

Specifies the redirect URI that identifies successful logon.Redirect URI

22


Table 6: Advanced Settings - Form Request

DescriptionSetting

Specifies whether the request method is GET or POST. Defaults toGET.

Request Method

When selected, specifies that the system detects the form that fails tomatch the criteria specified for Form Detection. The system then detects

Request Negative

the form by the absence of the specific cookie or header, or by itsfailure to match the URIs. The default is cleared.

When selected, specifies that the system matches on a partial string.If this option is not selected, the match must be verbatim. The defaultis selected.

Request Prefix

Table 7: Advanced Settings - Submit Request

DescriptionSetting

When selected, specifies that the system detects the form that fails tomatch the criteria specified for Form Detection. The system then detects

Submit Request Negative

the form by the absence of the specific cookie or header or by its failureto match the URIs. The default is cleared.

When selected, specifies that the system matches on a partial string.If this option is not selected, the match must be verbatim. The defaultis selected.

Submit Request Prefix

Table 8: JavaScript Injection

DescriptionSetting

Specifies whether to use the default JavaScript that APM™ creates.Defaults to Auto.

Injection Method

• Auto• Extra• Custom

Specifies more JavaScript to run at the end of the automaticallygenerated JavaScript.

Extra Javascript

Note: Review the logon page source to determine whetherany JavaScript functions are called on submit.

Specifies JavaScript to run in place of the automatically generatedJavaScript.

Custom Javascript

Table 9: Submit Detection

DescriptionSetting

Defaults to No.Disable Auto detect submit

23


DescriptionSetting

Available when Disable Auto detect submit is set to Yes. Specifieshow to detect submit. Options are:

Scheme

• URI• Cookie• Header

Header Settings

DescriptionSetting

NameHeader Name

ValueHeader Value

Form-based client-initiated SSO configuration examples

Using the examples provided for various applications, you can quickly create form-based client-initiatedSSO configurations.

DWA form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration forDomino Web Access (DWA).

Sample valueSetting

ssov2-dwaSSO Configuration Name

testformForm Name

• Username• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.username}

•• No (Default)Secure

• Password• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.password}

•• YesSecure

URIDetect Form by

/Request URI

Name AttributeIdentify Form by

STLogonFormForm Name

Presence of CookieDetect Logon by

DomAuthSessIdCookie Name

24


Sample valueSetting

Not selectedRequest Prefix

Bugzilla form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration forBugzilla.

Sample valueSetting

ssov2-bugzillaSSO Configuration Name

tformForm Name

• Bugzilla_login• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.username}


• Bugzilla_password• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.password}

•• YesSecure

URIDetect Form by

/Request URI

ID AttributeIdentify Form by

mini_login_topForm ID


Bugzilla_logincookieCookie Name


Ceridian form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration forCeridian.

Settings to configure form-based client-initiated SSO for Ceridian

Sample valueSetting

ssov2_ceridianSSO Configuration Name

sourcetimepro1.ceridian.comSSO Description

auth_formForm Name

• ClientIDInput• Form Parameter Name• Form Parameter Value • %{session.logon.last.clientid}

• Secure • No (Default)

25


Sample valueSetting

• SerialNumberInput• Form Parameter Name• Form Parameter Value • %{session.sso.token.last.username}


• PasswordInput• Form Parameter Name• Form Parameter Value • %{session.sso.custom.last.password}


URIDetect Form by

/Request URI

/sta.asp

/ctagw/

/ctagw/sta.asp

Form ParametersIdentify Form by

Redirect URIDetect Logon by

https://sourcetimepro1.ceridian.com/CTA660/cta.asp?RequestID=*Redirect URI


CustomInjection Method

See sample code that follows.Custom Javascript

YesDisable Auto detect submit

URIScheme

/sta.aspURI

/ctagw/sta.asp

Custom JavaScript

<script>function checkInternetExplorerVersion()// Returns 'true' if the version of Internet Explorer > 8{ var r = -1; // Return value assumes agreement. if (navigator.appName == 'Microsoft Internet Explorer') { var ua = navigator.userAgent; var re = new RegExp("MSIE ([0-8]{1,}[\.0-9]{0,})"); if (re.exec(ua) != null) r = parseFloat( RegExp.$1 ); } return ( r==-1 ) ? true : false;}if (checkInternetExplorerVersion()) { document.body.style.visibility='hidden';

26


document.body.style.display='none';}document.body.onkeydown=function(e){return false;};function __f5submit() {var __f5form = document.forms[0];__f5form.SerialNumberInput.value='%{session.sso.token.last.username}';__f5form.PasswordInput.value='%{session.sso.custom.last.password}';__f5form.ClientIDInput.value='%{session.logon.last.clientid}';f_submit();}if (window.addEventListener) { window.addEventListener('load',__f5submit,false);} else if (window.attachEvent) { window.attachEvent('onload',__f5submit);} else { window.onload=__f5submit;}</script>

Logon Page customization in access policy

Logon Page Agent (field 3):

• Type: text• Post Variable Name: clientid• Session Variable Name: clientid

Logon Page Input Field #3: Company ID

Variable Assign definition in access policy

session.sso.custom.last.password = expr { [mcget -secure {session.sso.token.last.password}] }

Citrix 4.5 and 5 form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration for Citrix®

versions 4.5 and 5.

Sample valueSetting

sso_fbv2SSO Configuration Name

testformForm Name

• domain• Form Parameter Name• •Form Parameter Value %{session.logon.last.domain}


• user• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.username}


• password• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.password}

27


Sample valueSetting

• Yes• Secure

URIDetect Form by

/Citrix/AccessPlatform/auth/login.aspxRequest URI

/Citrix/XenApp/auth/login.aspx

Action AttributeIdentify Form by

login.aspxForm Action


*/Citrix/XenApp/site/default.aspxRedirect URI

*/Citrix/AccessPlatform/site/default.aspx

Devcentral form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration forDevcentral.

Settings to configure form-based client-initiated SSO for Devcentral

Table 10: Devcentral Configuration Example

Sample valueSetting

ssov2_devcentralSSO Configuration Name

devcentral.f5.comSSO Description

auth_formForm Name

• dnn$ctr1093548$Login$Login_DNN$cmdLogin• Form Parameter Name• Form Parameter Value • Login


• dnn$ctr1093548$Login$Login_DNN$txtUsername• Form Parameter Name• Form Parameter Value • %{session.sso.token.last.username}


• dnn$ctr1093548$Login$Login_DNN$txtPassword• Form Parameter Name• Form Parameter Value • %{session.sso.token.last.password}

• Secure • Yes

URIDetect Form by

/Community/Login/tabid/1082224/Default.aspxRequest URI

28


Sample valueSetting

/tabid/1082224/Default.aspx


CookieDetect Logon by

authenticationCookie Name

ExtraInjection Method

See sample code that follows.Extra Javascript

Extra Javascript

WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions("dnn$ctr1093548$Login$Login_DNN$cmdLogin", "", true, "", "", false, false));__f5form.enctype = 'application/x-www-form-urlencoded';__f5form.encoding = 'application/x-www-form-urlencoded';

Google form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration forGoogle.

Sample valueSetting

ssov2_googleSSO Configuration Name

accounts.google.comDescription

form_authForm Name

• Email• Form Parameter Name• Form Parameter Value • %{session.sso.token.last.username}


• Passwd• Form Parameter Name• Form Parameter Value • %{session.sso.token.last.password}

• Secure • Yes

URIDetect Form by

/ServiceLoginRequest URI



SIDCookie Name

Note: For Internet Explorer 7 (and 8), disable the advanced setting Display a notification aboutevery script error.

29


Oracle Application Server form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration for Oracle10g Release 2 (10.1.2).

Sample valueSetting

ssov2_oracleSSO Configuration Name

tformForm Name

• ssousername• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.username}



•• YesSecure

URIDetect Form by

/sso/pages/login.jsp?site2pstoretoken=v1.2Request URI



SSO_IDCookie Name

OWA 2010 and 2007 form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration forOutlook Web App (OWA) 2010 and OWA 2007.

Table 11: OWA 2010 and OWA 2007 Configuration Example

Sample valueSetting

ssov2-owaSSO Configuration Name

tformForm Name

• username• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.username}



•• YesSecure

URIDetect Form by

/owa/auth/logon.aspx?replaceCurrent=1&url=Request URI

30


Sample valueSetting

/owa/auth/logon.aspx?url=



sessionidCookie Name

ExtraInjection Method

clkLgn()Extra Javascript

OWA 2003 form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration forOutlook Web App (OWA) 2003.

Sample valueSetting

ssov2-owa2003SSO Configuration Name

tform2003Form Name




•• YesSecure

URIDetect Form by

/exchweb/bin/auth/owalogon.asp?url=https://ata.bldg12.grpy.company.com/exchange/&reason=0Request URI



sessionidCookie Name

Perforce form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration forPerforce.

Sample valueSetting

perforce-ssoSSO Configuration Name

p4Form Name

• u• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.username}

31


Sample valueSetting

• No (Default)• Secure

• p• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.password}

•• YesSecure

URIDetect Form by

/p4webRequest URI



P4W8080Cookie Name


Reviewboard form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration forReviewboard.

Sample valueSetting

reviewboard-ssoSSO Configuration Name

rb_logonForm Name




•• YesSecure

URIDetect Form by

/account/loginRequest URI



*/dashboardRedirect URI


SAP form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration for SAP.

32


Sample valueSetting

ssov2_sapSSO Configuration Name

tformForm Name

• j_user• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.username}


• j_password• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.password}

•• YesSecure

• uidPasswordLogon• Form Parameter Name• •Form Parameter Value Log On


URIDetect Form by

/irj/portalRequest URI



MYSAPSSOV2Cookie Name


Salesforce form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration forSalesforce.

Sample valueSetting

ssov2_salesforceSSO Configuration Name

auth_formForm Name

• username• Form Parameter Name• Form Parameter Value • %{session.sso.token.last.username}


• pw• Form Parameter Name• Form Parameter Value • %{session.sso.token.last.password}

• Secure • Yes

URIDetect Form by

/Request URI


33


Sample valueSetting


instCookie Name


See sample code that follows.Custom Javascript

Custom Javascript

<script> function checkInternetExplorerVersion() // Returns 'true' if the version of Internet Explorer > 8 { var r = -1; // Return value assumes agreement. if (navigator.appName == 'Microsoft Internet Explorer') { var ua = navigator.userAgent; var re = new RegExp("MSIE ([0-8]{1,}[\.0-9]{0,})"); if (re.exec(ua) != null) r = parseFloat( RegExp.$1 ); } return ( r==-1 ) ? true : false; } if (checkInternetExplorerVersion()) { document.body.style.visibility='hidden'; document.body.style.display='none'; } document.body.onkeydown=function(e){return false;}; function __f5submit() { var __f5form = document.forms[0]; __f5form.username.value='%{session.sso.token.last.username}'; __f5form.password.value='f5-sso-token'; ; var __f5action = __f5form.action; var __f5qsep = (__f5action.indexOf('?') == -1) ? '?' : '&'; __f5form.action = __f5action + __f5qsep + 'f5-sso-form=auth_form';

__f5form.Login.click(); } if (window.addEventListener) { window.addEventListener('load',__f5submit,false); } else if (window.attachEvent) { window.attachEvent('onload',__f5submit); } else { window.onload=__f5submit; } </script>

Sharepoint 2010 form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration forSharepoint.

Sample valueSetting

ssov2_shp2010SSO Configuration Name

34


Sample valueSetting

form_authForm Name

• ctl00$PlaceHolderMain$signInControl$UserName• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.username}


• ctl00$PlaceHolderMain$signInControl$password• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.password}

•• YesSecure

• ctl00$PlaceHolderMain$signInControl$login• Form Parameter Name• •Form Parameter Value Sign In

•• YesSecure

URIDetect Form by

/_forms/default.aspx?ReturnUrl=Request URI



FedAuthCookie Name

Weblogin form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration forWeblogin.

Sample valueSetting

ssov2-webloginSSO Configuration Name

tformForm Name

• user• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.username}


• pass• Form Parameter Name• •Form Parameter Value %{session.sso.token.last.password}

•• YesSecure

• submit_form• Form Parameter Name• •Form Parameter Value Submit


URIDetect Form by

/sso/login.php?redir=Request URI

35


Sample valueSetting

Name AttributeIdentify Form by

theFormForm Name


issosessionCookie Name

Yahoo form-based client-initiated SSO exampleThis example lists settings and values for creating a form-based client-initiated SSO configuration forYahoo.

Sample valueSetting

sso_yahooSSO Configuration Name

login.yahoo.comSSO Description

form_loginForm Name

• login• Form Parameter Name• Form Parameter Value • %{session.sso.token.last.username}


URIDetect Form by

/Request URI

ID AttributeIdentify Form by

login_formForm ID


PHCookie Name


See example custom Javascript that follows.Custom Javascript

SelectedDisable Auto detect submit

/config/loginJavascript

Custom Javascript

<script> //Logon page will not be hidden in IE7/8. //This is workaround for the problem with JS method .focus() //"Can't move focus to the control because it is invisible, not enabled, or of a type that does not accept the focus."function checkInternetExplorerVersion()// Returns 'true' if the version of Internet Explorer > 8{ var r = -1; // Return value assumes agreement. if (navigator.appName == 'Microsoft Internet Explorer') { var ua = navigator.userAgent; var re = new RegExp("MSIE ([0-8]{1,}[\.0-9]{0,})");

36


if (re.exec(ua) != null) r = parseFloat( RegExp.$1 ); } return ( r==-1 ) ? true : false;}if (checkInternetExplorerVersion()) { document.body.style.visibility='hidden'; var inter = setInterval(function () { var err = document.getElementsByClassName('yregertxt')[0]; var wcl = document.getElementById('captcha_c'); if (err) { document.body.style.visibility = 'visible'; clearInterval(inter); } if (wcl) { if ( wcl.style.visibility == 'hidden') { document.body.style.visibility = 'visible'; clearInterval(inter); } } }, 1000);};function __f5submit() {var adv = document.getElementById('adFrame');if (adv) adv.style.visibility='hidden';var __f5form = document.forms[0];if (__f5form.login) __f5form.login.value='%{session.sso.token.last.username}';__f5form.passwd.value='%{session.sso.custom.last.password}';__f5form[".save"].click();}if (window.addEventListener) { window.addEventListener('load',__f5submit,false);} else if (window.attachEvent) { window.attachEvent('onload',__f5submit);} else { window.onload=__f5submit;}</script>

Variable Assign definition used in access policy

session.sso.custom.last.password = expr { [mcget -secure {session.sso.token.last.password}] }

37


38


Chapter

4

Kerberos Single Sign-On Method

Topics:

• About Kerberos SSO• How does Kerberos SSO work in Access

Policy Manager?• Task summary for configuring Kerberos SSO• Kerberos SSO configuration settings• Kerberos SSO session variable list• Tips for successfully deploying Kerberos

SSO

About Kerberos SSO

Access Policy Manager® provides seamless authentication to application servers (web servers) using KerberosSSO. It is the only SSO method that can be used when authentication methods used by the access policydo not provide the user's password in clear text. Examples of such methods include client certificateauthentication, NTLM authentication, or any other challenge/response authentication method where thepassword is not transmitted in clear text. To use Kerberos SSO, you must have Kerberos implemented inyour environment, such as using Active Directory domain with IIS servers configured for Integrated Windowsauthentication.

How does Kerberos SSO work in Access Policy Manager?

You can leverage Kerberos SSO in the following ways:

• Using a virtual server with an access policy associated with it.• Handling the SSO event through the use of Portal Access Resource. In this scenario, the Portal Access

resource is assigned to the Access Policy and the virtual server attaches a rewrite profile.

Here is a typical scenario showing what occurs when Kerberos SSO is used if client certificate authenticationis present:

1. When a user connects to the virtual server, Access Policy Manager validates the credentials and extractsthe UPN from the certificate through the access policy.

2. When the client accesses an application that requires a Kerberos ticket, the UPN and the configuredKerberos SSO object are used to retrieve the ticket from Active Directory. The ticket is then cached forthe particular client and presented to the application for access.

Attention: Under other circumstances, the access policy may not ask for credentials within thecertificate, because, for example, a logon page may be present. In such a case, the user namesupplied by the client is used at the UPN. Other factors, such as the use of other types ofauthentication methods, must be present in order to ensure that the credentials are valid in orderto retrieve the Kerberos ticket.

Figure 2: Example access policy for Kerberos SSO

40


Task summary for configuring Kerberos SSO

Access Policy Manager lets you configure for Kerberos SSO.

To set up this configuration, follow the procedures in the task list.

Task List

Setting up a delegation account to support Kerberos SSO

Creating a Kerberos SSO configuration in APM

Editing an access policy to support Kerberos SSO

Binding a Kerberos SSO object to an access profile

Attaching an access profile to a virtual server for Kerberos SSO

Setting up a delegation account to support Kerberos SSO

Before you can configure Kerberos SSO in Access Policy Manager®, you must create a delegation accountin Active Directory. Note that for every server realm, you must create a delegation account in that realm.

1. Open the Active Directory Users and Computers administrative tool and create a new user account.

The account name must be in this format, host/name.domain, where host is a literal string, name isany arbitrary name, and domain is the DNS FQDN for that realm.

Here is an example, host/apm.example.com.

2. Click Next.

3. On the next screen, type in a password and click Finish.

4. Edit the delegation account by running the adsiedit.msc administrative tool. To run this tool, typein the name of the tool at the Run command.

5. Navigate to the domain user accounts, and locate the delegation account you created.

6. Right-click the account and select Properties.The Active Directory properties for this account display.

7. Locate servicePrincipalName and select it.

8. Click Edit and type in the SPN value.

This value should be identical to what you provided in the user account field. For example,host/apm.example.com. Click OK.

9. Return to the Active Directory Users and Computers screen to open your account again. This time, thereshould be a Delegation tab present.

10. Select Trust this user for delegation to specified services only.

11. Select Use any authentication protocol, and add all your services to the list under Services to whichthis account can present delegated credentials.

Every service should have Service Type HTTP (or http) and host name of the pool member or webapplication resource host that you will use in your configuration.

12. Click OK.This creates the new delegation account.

41


Creating a Kerberos SSO configuration in APM

Before you create a Kerberos SSO configuration in Access Policy Manager®, create a delegation accountin Active Directory.

To support Kerberos single sign-on authentication from APM™, you must create a Kerberos SSOconfiguration.

1. On the Main tab, click Access Policy > SSO Configurations > Kerberos.The SSO Configurations screen opens for Kerberos type.




5. In the Kerberos Realm field, type the name of the realm in uppercase.

For example, MY.HOST.LAB.MYNET.COM

6. In the Account Name field, type the name of the Active Directory account configured for delegation.

7. In the Account Password and Confirm Account Password fields, type the delegation account password.

Editing an access policy to support Kerberos SSO

After you create an access profile to support Kerberos SSO, you must edit the policy and add the appropriateagents.

1. On the Main tab, click Access Policy > Access Profiles.The Access Profiles List screen opens.

2. From the list, select an access profile to which you want to add Kerberos SSO support.The properties screen for that access profile opens.

3. Click Edit Access Policy for Profile profile_name.The visual policy editor opens the access policy in a separate screen.

4. Click the (+) sign anywhere in the access policy to add a new action item.An Add Item screen opens, listing Predefined Actions that are grouped by General Purpose,Authentication, and so on.

5. On an access policy branch, click the plus symbol (+) to add an item to the access policy.

6. From Authentication, select Client Cert Inspection, and click Add item.A properties window opens.

7. Click SaveThe properties screen closes and the visual policy editor is displayed.


9. On an access policy branch, click the plus symbol (+) to add an item to the access policy.

10. From General Purpose, select Variable Assign and click Add item.A properties window opens.

11. Click SaveThe properties screen closes and the visual policy editor is displayed.

You have created an access policy to support Kerberos SSO.

42


The next step is to bind the SSO object to the access profile.

Binding a Kerberos SSO object to an access profile

Before beginning this task, configure an SSO object with Kerberos authentication or ensure that such anSSO object exists.

To bind a Kerberos SSO object to an access profile, add an SSO configuration (Kerberos SSO object ) toit.


2. From the list, select an access profile to which you want to add Kerberos SSO support.The properties screen for that access profile opens.

3. Click the SSO Auth/Domains tab.

4. From the SSO Configuration list, select an SSO configuration with Kerberos authentication that youpreviously identified or configured.

5. Click Update.

Attaching an access profile to a virtual server for Kerberos SSO

1. On the Main tab, click Local Traffic > Virtual Servers.The Virtual Server List screen opens.

2. Click the Create button.The New Virtual Server screen opens.

3. In the Name field, type a unique name for the virtual server.

4. For the Destination setting, in the Address field, type the IP address you want to use for the virtualserver.

The IP address you type must be available and not in the loopback network.

5. In the Service Port field, type a port number or select a service name from the Service Port list.

6. In the Access Policy area, from the Access Profile list, select the access profile that you configured forKerberos SSO.

7. Click Finished.

Kerberos SSO configuration settingsThese settings are available when you configure a Kerberos SSO method.

General Properties settings for Kerberos SSO configuration




GeneralProperties



Name

43




Displayed when you select Advanced in the GeneralProperties list.


Headers

Credentials Source settings for Kerberos SSO configuration



Specifies the user name to cache forsingle sign-on. Defaults to a sessionvariable.

UsernameSource

If this field is left empty or the variable doesnot exist or has no value, the user is assumed

Displays the session variable, ifconfigured, that specifies the realm for

User RealmSource

to be in the same Kerberos realm as theserver.


the user. If the variable is set, it mustcontain the Kerberos realm for the user.

SSO configuration settings for Kerberos SSO configuration


If servers are located in multiple realms, you must create aseparate SSO configuration for each realm. Realm must be

Specifies the realm ofapplication servers, such as

KerberosRealm

specified in uppercase letters or can be specified using thesession.logon.last.domain session variable.

pool members or portalaccess resource hosts.

Note: The KeepAlive setting on your backendwebserver must be enabled for Kerberosauthentication to work properly.

Specifies the IP Address orthe host name of the

KDCNote: KDC must be empty when the user realm isdifferent from the server realm and in the case ofmulti-domain realms.

Kerberos Key DistributionCenter (KDC) (normally anActive Directory domaincontroller) for the serverrealm.

If KDC is empty, the KDC must be discoverable throughDNS. For example, the BIG-IP system must be able to fetchSRV records for the server realm's domain, where the domainname is the same as the realm name. If the domain name isdifferent from the realm name, it must be specified in the/etc/krb5.conf file.

Kerberos SSO processing is fastest when KDC is specifiedby its IP address, slower when specified by host name, and,due to additional DNS queries, even slower when empty.

44



This account must be configured in the Kerberos realm (ADDomain) of the server.

Specify the name of theActive Directory accountconfigured for delegation.

AccountName

Note: If servers are from multiple realms, each realm(AD Domain) must have its own delegation account.

Specifies the password forthe delegation account

AccountPassword

specified in the AccountName field.

Verifies the passwordspecified in the AccountPassword field.

ConfirmAccountPassword

Leave this field empty unless you need non-standard SPNformat. For example, HTTP/%s@REALM, where %s is

An optional field formodifying how the Service

SPN Pattern

replaced by the server host name discovered through reversePrincipal Name (SPN) forthe servers is constructed. DNS lookup using the server IP address. When entering a

string, replace REALM with an actual realm name (asspecified in Kerberos Realm setting).

Should not be set higher than the value configured for theActive Directory delegation account (which defaults to 600).

Represents the maximumticket lifetime in minutes.Defaults to 600. Minimumis 10.

TicketLifetime

Note: The actual lifetime can be less than theconfigured value by up to 1 hour because the user'sticket lifetime is the same as the Kerberos TicketGranting Ticket (TGT) ticket lifetime.

The TGT for the delegation account specified in thisconfiguration is obtained. A new TGT is fetched every timethe latest TGT is older than one hour, but only when an SSOrequest is processed.

The Kerberos ticket is submitted in the HTTP Authorizationheader. The header value starts with the word Negotiate,

Specifies when to submit theKerberos ticket to

SendAuthorization

followed by one space and a base64 encoded GSSIAPI tokenapplication servers: Alwaysthat contains the Kerberos ticket. If the request contains anor On 401 Status Code.

Defaults to Always. Authorization header from the client browser, it is deleted.The options are defined here.

• Always The Authorization header with a Kerberos ticketis inserted into every HTTP request whether or not itrequires authentication; in other words, it is insertedpreemptively. The Kerberos ticket GSSAPI representationuses KRB5 Kerberos 5 mechanism displays (OID1.2.840.113554.1.2.2).

Selecting Always results in the additional overhead ofgenerating a Kerberos token for every request. Kerberostickets are fetched for first request only for the user andthen cached for up to the configured ticket lifetime, sothat subsequent requests involve local processing only.

45



• On 401 Status Code The BIG-IP system forwards theuser's HTTP request to the web server first withoutinserting a new Authorization header; (any Authorizationheader from a browser is also deleted). If the serverrequests authentication by responding with a 401 statuscode, the BIG-IP system retries the request with theAuthorization header. The Kerberos ticket GSSAPIrepresentation uses the SPNEGO mechanism displays(OID 1.3.6.1.5.5.2).

Selecting On 401 Status Code results in an additionalBIG-IP system and server request round trip whenauthentication is required for the request.

When the check box is selected, the PREWIN2k/UPN username input format is converted to the format you want to use

Check box is cleared bydefault.

UsernameConversion

for SSO. For example, convert domain\username orusername@domain to username.

Kerberos SSO session variable listThe following session variables are used by Kerberos SSO.

DescriptionSession Variable name

Contains the user's Kerberos realm. If unset, theuser's realm is the same as the server's realm. The

session.logon.last.domain

variable name is specified as User Realm Source inthe SSO configuration and can be changed.

Contains the user's login name. This can be extractedfrom the client certificate or supplied by the user on

session.logon.last.username

the login screen. The variable name is specified asUsernameSource in the SSO configuration and can bechanged.

This is set to 1 internally when Kerberos SSO fails.When this variable is set, all subsequent requests are

session.logon.last.username.sso.state

passed to the application server without applyingSSO for the remainder of the user session. Thevariable name is constructed by appending .sso.stateto the name specified in Username Source.

Tips for successfully deploying Kerberos SSOIf you run into problems with Kerberos SSO, follow these tips to try to resolve issues.

46


Microsoft® IIS servers

Only Microsoft® IIS servers are supported for pool members or web application resources. First, make surethe server computers running IIS are members of your AD Domain. Then follow these steps to enableKerberos in IIS Manager:

1. From Active Directory administrative tool, right-click Web Sites and select Properties.2. Select the Directory Security tab and in the Authentication and Access Control area click Edit.3. Clear Enable Anonymous Access.4. Check Integrated Windows Authentication and click OK. You might need to restart IIS or reboot the

server for this to take effect.

Reverse DNS resolution

Kerberos SSO relies on reverse DNS resolution for determining the SPN (Service Principal Name) for eachserver host, such as a load balanced pool member or a web application resource host. Access Policy Managershould be configured to use DNS servers that have the appropriate forward and reverse DNS records forthose servers. If DNS is lacking, those record host entries can be configured on the BIG-IP system.

DNS and KDC

Kerberos SSO relies on DNS for KDC discovery when KDC is not specified in an SSO configuration. TheDNS server should have SRV records pointing to the KDC servers for the realm's domain. When DNS isnot properly configured, or if the realm's DNS domain name is different from the realm's name, you canspecify the KDC by adding a realm section to /etc/krb5.conf file on the BIG-IP system. For DNSdiscovery to work, the dns_lookup_kdc option in the [libdefaults] section of that file must be set totrue.

Credential Caching

Kerberos uses credential caching to store Kerberos tickets. Access Policy Manager uses the websso processto maintain credential caches in memory, so restarting the websso process will discard all Kerberos ticketsused for SSO.

Credential caching and high availability

The Ticket cache is not synchronized between units in high availability. Each user's Kerberos tickets arestored in a separate cache, where the name is constructed from the username, the user Kerberos realm, andthe server Kerberos realm. Each cache contains a copy of the delegation account TGT for the server realm,a S4U2Self ticket for the user for the server realm, and multiple S4U2Proxy tickets for the servers. Onceall tickets are fetched and stored in the cache, they remain there until they expire according to their lifetime.Processing of subsequent SSO requests should not require any more queries to the KDC. Since all ticketsobtained from the same TGT have that TGT's lifetime, all tickets in the cache expire simultaneously. Eachuser's cache exists independently from the user's session. If the user has multiple concurrent or sequentialsessions, the sessions all share the same cache, as long as it remains valid. The cache continues to existeven without any active sessions.

Maximum number of cache entries

The maximum number of cache entries is set to 20000. If the number is exceeded, it destroys older entriesusing the LRU algorithm. Delegation account TGT for each server realm is fetched when the first userrequest for that realm is processed. The TGT is cached and copied into every user's cache when the useraccesses servers in that realm. If the TGT remaining lifetime becomes more than one hour shorter than theconfigured lifetime, the TGT is re-fetched. This is done to ensure that the new user's tickets are fetchedwith the initial lifetime closer to the configured value, and to avoid all tickets expiring at the same time,causing a performance impact.

47


48


Chapter

5

Single Sign-On and Multi-Domain Support

Topics:

• About multi-domain support for SSO• How does multi-domain support work for

SSO?• Task summary for configuring domain

support for SSO

About multi-domain support for SSO

Access Policy Manager® (APM) provides a method to enable users to use a single login or session acrossmultiple virtual servers in separate domains. Users can access back-end applications through multipledomains or through multiple hosts within a single domain, eliminating additional credential requests whenthey go through those multiple domains. With multi-domain support, you have the option of applyingdifferent SSO methods across different domains.

Attention: To enable multi-domain support, all virtual servers must be on a single BIG-IP® system.

These are some of the benefits that APM provides when you use it to set up multi-domain support for SSO.

• Users can sign out from all domains at once.• Users can move from one domain to another seamlessly. This eliminates the need re-run the access

policy, and thus maintains the established session for the user.• Administrators can configure different cookie settings (Secure, Host/Domain and Persistent) for different

domains, and for different hosts within same domain• Administrators can set up multiple SSO configurations to sign users in to multiple back-end applications

for a single APM™ session

How does multi-domain support work for SSO?

The configuration process in which you successfully set up multi-domain support for SSO requires thefollowing elements.

• An access profile that includes a set of participating domains.• An SSO configuration associated with each of the domains. Additionally, a designated URL that specifies

the primary authentication service is included in the access profile.

Note: The host name of the URL is a virtual server that provides an access policy to retrievethe credentials from the user. If an un-authenticated user reaches any domain specified in thedomain group, a re-direct is first made to the primary authenticating service so that credentialsare collected in order to establish a session.

• A virtual server.• The access profile associated with each of the virtual servers participating in the domain group.

50


Figure 3: Configuration process for multi-domain support for SSO

51


Figure 4: How multi-domain support for SSO works

Task summary for configuring domain support for SSO

Access Policy Manager SSO lets you configure either a single domain or multiple domains for SSO.


Task List

Configuring an access policy for SSO single domain support

Configuring an access policy for SSO multi-domain support

Creating a virtual server for SSO multi-domain support

Configuring an access policy for SSO single domain support

These steps apply only if you are setting up your access policy for SSO single domain support.


2. From the list, select an access profile in which you want to add SSO capability.

52


The properties screen for that access profile opens.

3. On the menu bar, click SSO/Auth Domains.

4. For Domain Mode, select Single Domain.

5. For the SSO Configuration setting, select an available SSO configuration from the list to apply to youraccess policy.

6. Click Update.

7. On the menu bar, click Access Policy.

8. Click the name of the access profile for which you want to edit the access policy.The Access Profile properties screen opens for the profile you want to edit.



11. For Predefined Actions, under General Purpose, select SSO Credential Mapping, and click Add item.

12. Click Save.You have now added SSO capability to your access policy.

Configuring an access policy for SSO multi-domain support

A user should be able to connect to any one of the virtual servers that participate in the domain group, andreceive a request for credentials only once. Subsequent connections to other virtual servers within the domaingroup should not require the users to provide their credentials.


2. From the list, select an access profile to which you want to add SSO capability.The properties screen for that access profile opens.

3. On the menu bar, click SSO/Auth Domains.

4. For the Domain Mode setting, select Multiple Domains.

5. For Primary Authentication URI, type the URI the client is directed to, for example,http://login.com, in order to receive an Access Policy Manager session.

Each domain that you configure indicates the domain the Access Policy Manager session (establishedby the primary authentication URI) is bound to.

6. In the Authentication Domain Configuration area, configure the Cookie setting by selecting Host orDomain, and typing the IP address for the host or, for domain, typing the fully qualified domain name.

7. Select Cookie Options. By default, Secure is selected.

8. From the SSO Configuration list, select the configuration that you want to associate to each host ordomain. (Defaults to None.)

9. Click Update.

Creating a virtual server for SSO multi-domain support

For every domain, a virtual server should be configured.


53




4. From Access Profile, select the profile you wish to attach to the virtual server.

5. Click Finished.

These steps should be repeated for every domain you specify in your access policy.

54


Chapter

6

Common Deployment Examples for Single Sign-On

Topics:

• Common use cases for Single Sign-Ondeployment

• Task summary for configuring webapplication over network access tunnel forSSO

Common use cases for Single Sign-On deployment

You can deploy Single Sign-On in a variety of ways, depending on the needs within your networkingenvironment. Deployment options include the following choices.

DescriptionUse case deployment type

Deploy SSO for local traffic with pool members.For local traffic pool members

Deploy SSO through a network access with layeredvirtual servers.

For web application access over network access

Deploy SSO so users can access their webapplications. You can assign an SSO object as part

For web applications

of the web application resource item, or assign theobject at the access profile level instead.

Task summary for configuring web application over network access tunnelfor SSO

Using Access Policy Manager®, you can configure Single Sign-On for web applications access over anetwork access tunnel.


Task List

Configuring network access for SSO with web applications

Configuring network access properties

Configuring and managing the access profile using SSO

Configuring an HTTP virtual server for the network access

Configuring a layered virtual server for your web service

Configuring portal access resources for SSO

Configuring network access for SSO with web applications

1. On the Main tab, click Access Policy > Network Access.The Network Access List screen opens.

2. Click the Create button.The New Resource screen opens.

3. In the Name field, type a name for the resource.

4. To configure the general properties for the network resource, click Properties on the menu bar.

5. Configure your network client settings.

6. Click the Finished button.The Network Access configuration screen opens, and you can configure the properties for the networkaccess resource.

56


Configuring network access properties

1. On the Main tab, click Access Policy > Network Access.The Network Access List screen opens.

2. Click the name to select a network access resource on the Resource List.The Network Access editing screen opens.

3. To configure the general properties for the network resource, click Properties on the menu bar.

4. To configure DNS and hosts settings for the network access resource, click DNS/Hosts on the menubar.

5. To configure the drive mappings for the network access resource, click Drive Mappings on the menubar.

6. To configure applications to start for clients that establish a network access connection with this resource,click Launch Applications on the menu bar.

Configuring and managing the access profile using SSO


2. Click Create.The New Profile screen opens.

3. Type a name for the access profile.

4. Ensure that the SSO Configuration setting specifies None, and leave all the other settings at their defaultvalues.

5. Click Finished.


7. On the menu bar, click Access Policy.The Access Policy screen opens.


9. Add your objects to the access policy.

Configuring an HTTP virtual server for the network access

Create a virtual server to which the network access associates your access policy.




4. For the Destination setting, in the Address field, type the IP address you want to use for the virtualserver.

The IP address you type must be available and not in the loopback network.

57


5. From the Source Address Translation list, select Auto Map.

6. In the Configuration area, specify both SSL Profile (Client) and SSL Profile (Server).

7. In the Service Port field, type a port number or select a service name from the Service Port list.

8. From the Configuration list, select Advanced.

9. In the Access Policy area, select the Access Profile you created.

10. Click Finished.

Your user is now able to log on to Access Policy Manager and have full access to all their web services.

If you want to eliminate the need for users to enter their credential multiple times to access each web service,you now need to configure a layered virtual server for each of your web service.

Configuring a layered virtual server for your web service

Create a layered virtual server for every web service that the users access to eliminate the need for them toenter credential multiple times.


2. Create an access profile with a dummy default access policy.

3. Configure the access profile with the appropriate access policy, for example, SSO Credential Mapping.

4. Click Update.


6. Select the layered virtual server you created for your web service.The General Properties screen opens.

7. In the Configuration area for the VLAN and Tunnel Traffic setting, select All VLANS and Tunnelsto ensure that the layered virtual server sends traffic from the network traffic to the network accesstunnel interface.

8. Associate the dummy access profile you created by selecting it from the Access Profile list.

9. From the Configuration list, select Advanced, scroll down, and make sure that both AddressTranslationand Port Translation settings remained cleared.

10. Click Update.The users are now able to access multiple web services without having to enter their credential multipletimes.

Configuring portal access resources for SSO

You can assign an SSO object as part of the portal access resource item. If you do not configure an SSOobject at that level, you can use the SSO object at the access profile level instead.

1. On the Main tab, select Access Policy > SSO Configurations.The SSO Configurations list screen opens.


3. From the SSO Configurations by Type menu, choose an SSO type.A screen appears, displaying SSO configurations of the type you specified.


5. Specify all relevant parameters.

58


6. Click Finished.



9. From the SSO Configurations list, select an SSO configuration.

10. Click Finished.

59


60


Acknowledgments

This product includes software developed by Gabriel Forté.

This product includes software developed by Bill Paul.

This product includes software developed by Jonathan Stone.

This product includes software developed by Manuel Bouyer.

This product includes software developed by Paul Richards.

This product includes software developed by the NetBSD Foundation, Inc. and its contributors.

This product includes software developed by the Politecnico di Torino, and its contributors.

This product includes software developed by the Swedish Institute of Computer Science and its contributors.

This product includes software developed by the University of California, Berkeley and its contributors.

This product includes software developed by the Computer Systems Engineering Group at the LawrenceBerkeley Laboratory.

This product includes software developed by Christopher G. Demetriou for the NetBSD Project.

This product includes software developed by Adam Glass.

This product includes software developed by Christian E. Hopps.

This product includes software developed by Dean Huxley.

This product includes software developed by John Kohl.

This product includes software developed by Paul Kranenburg.

This product includes software developed by Terrence R. Lambert.

This product includes software developed by Philip A. Nelson.

This product includes software developed by Herb Peyerl.

This product includes software developed by Jochen Pohl for the NetBSD Project.

This product includes software developed by Chris Provenzano.

This product includes software developed by Theo de Raadt.

This product includes software developed by David Muir Sharnoff.

This product includes software developed by SigmaSoft, Th. Lockert.

This product includes software developed for the NetBSD Project by Jason R. Thorpe.

This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com.

This product includes software developed for the NetBSD Project by Frank Van der Linden.

This product includes software developed for the NetBSD Project by John M. Vinopal.

This product includes software developed by Christos Zoulas.

This product includes software developed by the University of Vermont and State Agricultural College andGarrett A. Wollman.

This product includes software developed by Balazs Scheidler ([email protected]), which is protected underthe GNU Public License.

This product includes software developed by Niels Mueller ([email protected]), which is protected underthe GNU Public License.

In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developedby Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operatingsystems includes mainly non-profit oriented systems for research and education, including but not restrictedto NetBSD, FreeBSD, Mach (by CMU).

This product includes software developed by the Apache Group for use in the Apache HTTP server project(http://www.apache.org/).

This product includes software licensed from Richard H. Porter under the GNU Library General PublicLicense (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.

This product includes the standard version of Perl software licensed under the Perl Artistic License (© 1997,1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standardversion of Perl at http://www.perl.com.

This product includes software developed by Jared Minch.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit(http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product contains software based on oprofile, which is protected under the GNU Public License.

This product includes software with glib library utility functions, which is protected under the GNU PublicLicense.

This product includes software with grub2 bootloader functions, which is protected under the GNU PublicLicense.

This product includes software with the Intel Gigabit Linux driver, which is protected under the GNU PublicLicense. Copyright ©1999 - 2012 Intel Corporation.

This product includes software with the Intel 10 Gigabit PCI Express Linux driver, which is protected underthe GNU Public License. Copyright ©1999 - 2012 Intel Corporation.

This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html)and licensed under the GNU General Public License.

This product contains software licensed from Dr. Brian Gladman under the GNU General Public License(GPL).

This product includes software developed by the Apache Software Foundation (http://www.apache.org/).

This product includes Hypersonic SQL.

This product contains software developed by the Regents of the University of California, Sun Microsystems,Inc., Scriptics Corporation, and others.

This product includes software developed by the Internet Software Consortium.

This product includes software developed by Nominum, Inc. (http://www.nominum.com).

This product contains software developed by Broadcom Corporation, which is protected under the GNUPublic License.

This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser GeneralPublic License, as published by the Free Software Foundation.

This product includes software under license from Qosmos (www.qosmos.com).

This product includes software developed by Andrew Tridgell, which is protected under the GNU PublicLicense, copyright ©1992-2000.

62

Acknowledgments

This product includes software developed by Jeremy Allison, which is protected under the GNU PublicLicense, copyright ©1998.

This product includes software developed by Guenther Deschner, which is protected under the GNU PublicLicense, copyright ©2008.

This product includes software developed by www.samba.org, which is protected under the GNU PublicLicense, copyright ©2007.

This product includes software from Allan Jardine, distributed under the MIT License.

This product includes software from Trent Richardson, distributed under the MIT License.

This product includes vmbus drivers distributed by Microsoft Corporation.

This product includes software from Cavium.

This product includes software from Webroot, Inc.

This product includes software from Maxmind, Inc.

This product includes software licensed from www.samba.org under the GNU Library General PublicLicense.

This product includes software from OpenVision Technologies, Inc. Copyright ©1993-1996, OpenVisionTechnologies, Inc. All Rights Reserved.

This product includes software developed by Matt Johnson, distributed under the MIT License. Copyright©2012.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associateddocumentation files (the "Software"), to deal in the Software without restriction, including without limitationthe rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portionsof the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.

This product includes software from NLnetLabs. Copyright ©2005, 2006. All Rights Reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted providedthat the following conditions are met:

• Redistributions of source code must retain the above copyright notice, this list of conditions and thefollowing disclaimer.

• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and thefollowing disclaimer in the documentation and/or other materials provided with the distribution.

• Neither the name of NLnetLabs nor the names of its contributors may be used to endorse or promoteproducts derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BELIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

63


CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OFSUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESSINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER INCONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISINGIN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITYOF SUCH DAMAGE.

This product includes GRand Unified Bootloader (GRUB) software developed under the GNU PublicLicense, copyright ©2007.

This product includes Intel QuickAssist kernel module, library, and headers software licensed under theGNU General Public License (GPL).

This product includes gd-libgd library software developed by the following in accordance with the followingcopyrights:

• Portions copyright ©1994, 1995, 1996, 1997, 1998, 2000, 2001, 2002 by Cold Spring Harbor Laboratory.Funded under Grant P41-RR02188 by the National Institutes of Health.

• Portions copyright ©1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc.• Portions relating to GD2 format copyright ©1999, 2000, 2001, 2002 Philip Warner.• Portions relating to PNG copyright ©1999, 2000, 2001, 2002 Greg Roelofs.• Portions relating to gdttf.c copyright ©1999, 2000, 2001, 2002 John Ellson ([email protected]).• Portions relating to gdft.c copyright ©2001, 2002 John Ellson ([email protected]).• Portions copyright ©2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 2008 Pierre-Alain Joye

([email protected]).• Portions relating to JPEG and to color quantization copyright ©2000, 2001, 2002, Doug Becker and

copyright ©1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software isbased in part on the work of the Independent JPEG Group.

• Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande.Permission has been granted to copy, distribute and modify gd in any context without fee, including acommercial application, provided that this notice is present in user-accessible supporting documentation.

This product includes software developed by Oracle America, Inc. Copyright ©2012.

1. Java Technology Restrictions. Licensee shall not create, modify, change the behavior of, or authorizelicensees of ;icensee to create, modify, or change the behavior of, classes, interfaces, or subpackagesthat are in any way identified as "java", "javax”, "sun" or similar convention as specified by Oracle inany naming convention designation. In the event that Licensee creates an additional API(s) which: (a)extends the functionality of a Java Environment; and (b) is exposed to third party software developersfor the purpose of developing additional software which invokes such additional API, Licensee mustpromptly publish broadly an accurate specification for such API for free use by all developer.

2. Trademarks and Logos. This License does not authorize an end user licensee to use any Oracle America,Inc. name, trademark, service mark, logo or icon. The end user licensee acknowledges that Oracle ownsthe Java trademark and all Java-related trademarks, logos and icon including the Coffee Cup and Duke("Java Marks") and agrees to: (a) comply with the Java Trademark Guidelines athttp://www.oraclc.com/html/3party.html; (b) not do anything harmful to or inconsistent with Oracle'srights in the Java Marks; and (c) assist Oracle in protecting those rights, including assigning to Oracleany rights acquired by Licensee in any Java Mark.

3. Source Code. Software may contain source code that, unless expressly licensed for other purposes, isprovided solely for reference purposes pursuant to the terms of your license. Source code may not beredistributed unless expressly provided for in the terms of your license.

4. Third Party Code. Additional copyright notices and license terms applicable to portion of the Softwareare set forth in the THIRDPARTYLICENSEREADME.txt file.

5. Commercial Features. Use of the Commercial Features for any commercial or production purposerequires a separate license from Oracle. "Commercial Features" means those features identified in Table

64

Acknowledgments

I-I (Commercial Features In Java SE Product Editions) of tile Software documentation accessible athttp://www.oracle.com/technetwork/java/javase/documentation/index.html.

This product includes utilities developed by Linus Torvalds for inspecting devices connected to a USB bus.

This product includes perl-PHP-Serialization software, developed by Jesse Brown, copyright ©2003, anddistributed under the Perl Development Artistic License (http://dev.perl.org/licenses/artistic.html).

This product includes software developed by members of the CentOS Project under the GNU Public License,copyright ©2004-2011 by the CentOS Project.

This product includes software developed by members of the OpenJDK Project under the GNU PublicLicense Version 2, copyright ©2012 by Oracle Corporation.

This product includes software developed by The VMWare Guest Components Team under the GNU PublicLicense Version 2, copyright ©1999-2011 by VMWare, Inc.

This product includes software developed by The Netty Project under the Apache Public License Version2, copyright ©2008-2012 by The Netty Project.

This product includes software developed by Stephen Colebourne under the Apache Public License Version2, copyright ©2001-2011 Joda.org.

This product includes software developed by the GlassFish Community under the GNU Public LicenseVersion 2 with classpath exception, copyright ©2012 Oracle Corporation.

This product includes software developed by the Mort Bay Consulting under the Apache Public LicenseVersion 2, copyright ©1995-2012 Mort Bay Consulting.

This product contains software developed by members of the Jackson Project under the GNU Lesser GeneralPublic License Version 2.1, ©2007 – 2012 by the Jackson Project”.

This product contains software developed by QOS.ch under the MIT License, ©2004 – 2011 by QOS.ch.

This product includes software licensed from Gerald Combs ([email protected]) under the GNU GeneralPublic License as published by the Free Software Foundation; either version 2 of the License, or any laterversion. Copyright ©1998 Gerald Combs.

This product includes software developed by Daniel Stenberg. Copyright ©1996 - 2012, Daniel Stenberg,([email protected]). All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose with or without fee is herebygranted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THEUSE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwiseto promote the sale, use or other dealings in this Software without prior written authorization of the copyrightholder.

This product includes software licensed from Rémi Denis-Courmont under the GNU Library General PublicLicense. Copyright ©2006 - 2011.

This product includes software developed by jQuery Foundation and other contributors, distributed underthe MIT License. Copyright ©2012 jQuery Foundation and other contributors (http://jquery.com/).

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associateddocumentation files (the "Software"), to deal in the Software without restriction, including without limitation

65


the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,and to permit persons to whom the Software is furnished to do so, subject to the following conditions:



This product includes software developed by Trent Richardson, distributed under the MIT License. Copyright©2012 jQuery Foundation and other contributors (http://jquery.com/).




This product includes software developed by Allan Jardine, distributed under the MIT License. Copyright©2008 - 2012, Allan Jardine, all rights reserved, jQuery Foundation and other contributors(http://jquery.com/).




This product includes software developed by Douglas Gilbert. Copyright ©1992 - 2012 The FreeBSDProject. All rights reserved.


1. Redistributions of source code must retain the above copyright notice, this list of conditions and thefollowing disclaimer.

66

Acknowledgments

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and thefollowing disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT `ÀS IS'' AND ANY EXPRESS ORIMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NOEVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORYOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The views and conclusions contained in the software and documentation are those of the authors and shouldnot be interpreted as representing official policies, either expressed or implied, of the FreeBSD Project.

This product includes software developed as open source software. Copyright ©1994 - 2012 The FreeBSDProject. All rights reserved.




3. The names of the authors may not be used to endorse or promote products derived from this softwarewithout specific prior written permission.

THIS SOFTWARE IS PROVIDED `ÀS IS'' AND WITHOUT ANY EXPRESS OR IMPLIEDWARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

This product includes cryptographic software written by Eric Young ([email protected]). Copyright ©1998- 2011 The OpenSSL Project. All rights reserved.




3. All advertising materials mentioning features or use of this software must display the followingacknowledgment: "This product includes software developed by the OpenSSL Project for use in theOpenSSL Toolkit. (http://www.openssl.org/)"

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote productsderived from this software without prior written permission. For written permission, please [email protected].

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in theirnames without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This productincludes software developed by the OpenSSL Project for use in the OpenSSL Toolkit(http://www.openssl.org/)"

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND ANY EXPRESSED ORIMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF

67


MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NOEVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORYOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes software licensed from William Ferrell, Selene Scriven and many other contributorsunder the GNU General Public License, copyright ©1998 - 2006.

This product includes software developed by Thomas Williams and Colin Kelley. Copyright ©1986 - 1993,1998, 2004, 2007

Permission to use, copy, and distribute this software and its documentation for any purpose with or withoutfee is hereby granted, provided that the above copyright notice appear in all copies and that both thatcopyright notice and this permission notice appear in supporting documentation. Permission to modify thesoftware is granted, but not the right to distribute the complete modified source code. Modifications are tobe distributed as patches to the released version. Permission to distribute binaries produced by compilingmodified sources is granted, provided you

1. distribute the corresponding source modifications from the released version in the form of a patch filealong with the binaries,

2. add special version identification to distinguish your version in addition to the base release versionnumber,

3. provide your name and address as the primary contact for the support of your modified version, and4. retain our contact information in regard to use of the base software.

Permission to distribute the released version of the source code along with corresponding source modificationsin the form of a patch file is granted with same provisions 2 through 4 for binary distributions. This softwareis provided "as is" without express or implied warranty to the extent permitted by applicable law.

This product includes software developed by Brian Gladman, Worcester, UK Copyright ©1998-2010. Allrights reserved. The redistribution and use of this software (with or without changes) is allowed withoutthe payment of fees or royalties provided that:

• source code distributions include the above copyright notice, this list of conditions and the followingdisclaimer;

• binary distributions include the above copyright notice, this list of conditions and the following disclaimerin their documentation.

This software is provided 'as is' with no explicit or implied warranties in respect of its operation, including,but not limited to, correctness and fitness for purpose.

This product includes software developed by the Computer Systems Engineering Group at LawrenceBerkeley Laboratory. Copyright ©1990-1994 Regents of the University of California. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted providedthat the following conditions are met:



3. All advertising materials mentioning features or use of this software must display the followingacknowledgment: This product includes software developed by the Computer Systems EngineeringGroup at Lawrence Berkeley Laboratory.

68

Acknowledgments

4. Neither the name of the University nor of the Laboratory may be used to endorse or promote productsderived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANYDIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes software developed by Sony Computer Science Laboratories Inc. Copyright ©

1997-2003 Sony Computer Science Laboratories Inc. All rights reserved. Redistribution and use in sourceand binary forms, with or without modification, are permitted provided that the following conditions aremet:



THIS SOFTWARE IS PROVIDED BY SONY CSL AND CONTRIBUTORS "AS IS" AND ANY EXPRESSOR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIESOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. INNO EVENT SHALL SONY CSL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUTNOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORYOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product contains software developed by Google, Inc. Copyright ©2011 Google, Inc.




This software incorporates JFreeChart, ©2000-2007 by Object Refinery Limited and Contributors.

This product contains software developed by the Mojarra project. Source code for the Mojarra softwaremay be obtained at https://javaserverfaces.dev.java.net/.

This product includes software developed by McAfee®.

69


This product includes software developed by Ian Gulliver ©2006, which is protected under the GNU GeneralPublic License, as published by the Free Software Foundation.

This product contains software developed by the RE2 Authors. Copyright ©2009 The RE2 Authors. Allrights reserved. Redistribution and use in source and binary forms, with or without modification, are permittedprovided that the following conditions are met:

• Redistributions of source code must retain the above copyright notice, this list of conditions and thefollowing disclaimer.

• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and thefollowing disclaimer in the documentation and/or other materials provided with the distribution.

• Neither the name of Google Inc. nor the names of its contributors may be used to endorse or promoteproducts derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BELIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OFSUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESSINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER INCONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISINGIN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITYOF SUCH DAMAGE.

This product includes the Zend Engine, freely available at http://www.zend.com.

This product includes software developed by Digital Envoy, Inc.

This product contains software developed by NuSphere Corporation, which is protected under the GNULesser General Public License.

This product contains software developed by Erik Arvidsson and Emil A Eklund.

This product contains software developed by Aditus Consulting.

This product contains software developed by Dynarch.com, which is protected under the GNU LesserGeneral Public License, version 2.1 or later.

This product contains software developed by InfoSoft Global (P) Limited.

This product includes software written by Steffen Beyer and licensed under the Perl Artistic License andthe GPL.

This product includes software written by Makamaka Hannyaharamitu ©2007-2008.

Rsync was written by Andrew Tridgell and Paul Mackerras, and is available under the GNU Public License.

This product includes Malloc library software developed by Mark Moraes. (©1988, 1989, 1993, Universityof Toronto).

This product includes open SSH software developed by Tatu Ylonen ([email protected]), Espoo, Finland(©1995).

This product includes open SSH software developed by Niels Provos (©1999).

This product includes SSH software developed by Mindbright Technology AB, Stockholm, Sweden,www.mindbright.se, [email protected] (©1998-1999).

This product includes free SSL software developed by Object Oriented Concepts, Inc., St. John's, NF,Canada, (©2000).

70

Acknowledgments

This product includes software developed by Object Oriented Concepts, Inc., Billerica, MA, USA (©2000).

This product includes free software developed by ImageMagick Studio LLC (©1999-2011).

This product includes software developed by Bob Withers.

This product includes software developed by Jean-Loup Gaily and Mark Adler.

This product includes software developed by Markus FXJ Oberhumer.

This product includes software developed by Guillaume Fihon.

This product includes QPDF software, developed by Jay Berkenbilt, copyright ©2005-2010, and distributedunder version 2 of the OSI Artistic License (http://www.opensource.org/licenses/artistic-license-2.0.php).

71


72

Acknowledgments

Index

A

access profileconfiguring for SSO 57managing for SSO 57

B

Bugzillaand SSO configuration example 25

C

Ceridianand SSO configuration example 25

Citrix 4.5 and Citrix 5and SSO configuration example 27

D

delegation accountsetting up 41

Domino Web Access configuration example 24

F

form-based client-initiated SSOabout 18and default behavior 18configuring basic 18

form-based client-initiated SSO authenticationusing 20

form-based client-initiated SSO configurationand minimum requirements 18examples 24for Bugzilla 25for Ceridian 25for Citrix 4.5 and Citrix 5 27for DevCentral 28for Google 29for Oracle Application Server 10g 30for OWA 2003 31for OWA 2010 and OWA 2007 30for Perforce 31for Reviewboard 32for Salesforce 33for SAP 32for Sharepoint 2010 34for Weblogin 35for Yahoo 36matching criteria 18

form-based client-initiated SSO configuration examplefor Domino Web Access 24

form-based client-initiated SSO settingsdescribed 21

form requestchanging default properties 19

form submittalchanging default properties 19

H

HTTP Basic SSO configuration settings 11HTTP Forms SSO configuration settings 12

J

JavaScript insertion 19

K

KerberosKerberos

access profile for 43virtual server for 43

Kerberos authentication methodsupporting 42

Kerberos SSOabout 40configuring 42editing an access policy 42overview 40setting up a delegation account 41supporting 41, 42task summary 41

Kerberos SSO configuration settings 43Kerberos SSO object 43Kerberos SSO session variables

descriptions 46Kerberos SSO troubleshooting tips

list of 46

L

layered virtual serversconfiguring for SSO 58

M

multi-domain supportoverview 50

multi-domain support for SSOabout 50attaching an access policy 53configuring 53

73

Index

N

network accessconfiguring 56for SSO with web applications 56

network access propertiesconfiguring 57for SSO with web applications 57

NTLMV1 SSO configuration settings 14NTLMV2 SSO configuration settings 16

P

portal access resourceconfiguring 58for SSO 58

S

single domain support for SSOconfiguring 52

Single Sign-Onabout 8with credential caching and proxying 8

Single Sign-On configuration objectsabout 10

SSOconfiguring 11, 12configuring form-based client-initiated authentication 20configuring for NTLM v1 authentication method 14configuring for NTLM v2 authentication method 15configuring multi-domain support 53configuring single domain support 52using form-based authentication method 12using HTTP basic authentication method 11

SSO common use casesdeploying 56

SSO domain supportconfiguring 52for SSO 52

SSO methods supported 10

V

virtual serverfor web applications 57over network access 57

W

web application over network accessconfiguring 56for OAM 56

74

Index

Documents

Access Policy Manager Single Sign-On Configuration … · Task summary for configuring web application over network ... the access profile using SSO ... Sign-On configuration object