10-19-2009 10:21 AM
I've configured SSO successfully to citrix and owa for an environment with users authenticating from AD.
Now, we are moving from AD authentication to certificate authentication using the MS certicate authority and SSO is breaking.
Username and password for certificate authentication are the users active directory credentials. I am using <USERNAME> and <PASSWORD> variables for the SSO (against citrix and owa).
I assumed that it was possible to use the same credentials and variables, is that a misunderstanding? What am I missing?
Thanks for any advice!
Solved! Go to Solution.
10-19-2009 10:59 AM
Can you clarify a little? Are you using the certificate for primary authentication and then using the AD username and password for secondary authentication and then trying to pass that on for your SSO purposes?
10-19-2009 01:00 PM
Sure, thanks for responding and sorry for not being clearer.
I planned on using certificates as primary, AD as secondary. I would like to use a single sign on page for the login, but enabling AD for secondary seems to bring up a second sign in page.
I'd then like to find a way to have the username and password used for SSO for backend apps like citrix and outlook like we currently use with AD only.
10-19-2009 05:38 PM
#1 - Check your sign in page - you should only see a second page if you have enabled the checkbox "prompt the secondary credentials on the second page"
#2- you can use the secondary username and password for SSO - but you can't just pass <username> or <password> as that is for primary auth. It is stored as <username> and <password> for the secondary credentials.
Hope that this helps!
10-19-2009 08:13 PM
Thanks for the info and the quick responses. This didn't directly solve my issue, but it got me thinking enough to realize what the issue was, so thank you!
Turns out when you have multiple realms allowed on a single sign in page, and are using different authentication types across the realms, you get a username and password box regardless of what realm you choose and what the authentication type is. Seems logical.
Now this username and password box works well if you chose a realm that is password based as its primary authentication.
However, if you are using certs for primary and say AD for secondary, those username boxes actually don't do anything on that initial sign in page and you are brought to a secondary page for your secondary authentication.
So by removing the additional realms (they were there for testing only) it reduced my sign on page to just checking for a user cert. Once the user cert was found it technically went to the secondary sign in page, but really the first sign in page that the user would see that prompts them for credentials.
From there, as you said changing the SSO variables to the secondary ones finished up the SSO solution.
This is excellent because I was really banging my head on the wall trying to figure out why this wouldn't work!