SSL VPN
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
amihai
Regular Visitor
amihai
Posts: 7
Registered: ‎06-16-2009
0

ISP like environment - enabling SSO w/ certificate server and LDAP (across domains)

Options

‎06-26-2011 07:47 AM

Hi All,

 

I have an issue that can be a little hard to explain so please bear with me:

 

Looking for a way to make the IVE not check the seconday password against an Auth Server when perfroming SSO.

 

IVE 7.04

Auth Server #1: Certificate Server

Auth Server #2: LDAP (password only)

Web Resrouce #1 has SSO policy configured to send <user> and <password2> to the login page.

 

Problem: The pasword on the LDAP server (auth server #2) and the password to the web resource are NOT the same.

 

I'm aware of the checkbox to disabe "End session if auth against server failes" - it allows me to enter any password (even if it's wrong password for the secondary server).

 

However - when this checkbox is checked - I'm indeed allowed to enter any password in the secondary login page BUT sso fails.

 

It is my understanding that while the IVE allows me to enter a wrong password on the secondary login page - it does check this password when I try to use SSO against a web resource.

 

I would like to be able to enter the password for the web resource in the secondary login page but have the IVE NOT check this passsword against the LDAP server.

In other words I need the IVE to blindly pass the password (<passowrd[2]>) blindly to the web resrouce.

 

Any advice or tips would be greatly appreciated.

 

Thanks in advnace,

Avner

Message 1 of 4 (436 Views)
 
Reply
Moderator Moderator
Moderator
zanyterp
Posts: 1,989
Registered: ‎11-19-2007
0

Re: ISP like environment - enabling SSO w/ certificate server and LDAP (across domains)

Options

‎06-26-2011 01:56 PM

Unfortunately, this is not possible: the password will always be checked for the secondary auth server....and the value is invalidated if it doesn't match.
Is using constrained delegation an option?
Does the site use POST for the SSO? If yes, you can set the password option to require users to enter it (value of users MUST modify; the default is users MAY NOT modify).
Message 2 of 4 (430 Views)
 
Posted from Apple iPhone
Reply
amihai
Regular Visitor
amihai
Posts: 7
Registered: ‎06-16-2009
0

Re: ISP like environment - enabling SSO w/ certificate server and LDAP (across domains)

Options

‎07-05-2011 03:31 AM

Hi zanyterp,

 

Constrained Delegation just might be the answer.

 

Thank you so much for your response.

 

I will try and implement KCD and if succesful will mark your solution as accepted.

 

Your time and effort are greatly appreciated :smileyhappy:

 

Will update shortly.

 

Thanks!

Message 3 of 4 (377 Views)
 
Reply
Moderator Moderator
Moderator
zanyterp
Posts: 1,989
Registered: ‎11-19-2007
0

Re: ISP like environment - enabling SSO w/ certificate server and LDAP (across domains)

Options

‎07-11-2011 09:21 AM

Hi amihai,

 

You are welcome; glad to (try) and help. :smileyhappy:

Hope all is looking good.

 

 

Message 4 of 4 (342 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.