06-26-2011 07:47 AM
I have an issue that can be a little hard to explain so please bear with me:
Looking for a way to make the IVE not check the seconday password against an Auth Server when perfroming SSO.
Auth Server #1: Certificate Server
Auth Server #2: LDAP (password only)
Web Resrouce #1 has SSO policy configured to send <user> and <password2> to the login page.
Problem: The pasword on the LDAP server (auth server #2) and the password to the web resource are NOT the same.
I'm aware of the checkbox to disabe "End session if auth against server failes" - it allows me to enter any password (even if it's wrong password for the secondary server).
However - when this checkbox is checked - I'm indeed allowed to enter any password in the secondary login page BUT sso fails.
It is my understanding that while the IVE allows me to enter a wrong password on the secondary login page - it does check this password when I try to use SSO against a web resource.
I would like to be able to enter the password for the web resource in the secondary login page but have the IVE NOT check this passsword against the LDAP server.
In other words I need the IVE to blindly pass the password (<passowrd>) blindly to the web resrouce.
Any advice or tips would be greatly appreciated.
Thanks in advnace,
06-26-2011 01:56 PM
Is using constrained delegation an option?
Does the site use POST for the SSO? If yes, you can set the password option to require users to enter it (value of users MUST modify; the default is users MAY NOT modify).
07-05-2011 03:31 AM
Constrained Delegation just might be the answer.
Thank you so much for your response.
I will try and implement KCD and if succesful will mark your solution as accepted.
Your time and effort are greatly appreciated
Will update shortly.