SSL VPN
Reply
Regular Visitor
amihai
Posts: 7
Registered: ‎06-16-2009
0

ISP like environment - enabling SSO w/ certificate server and LDAP (across domains)

Hi All,

 

I have an issue that can be a little hard to explain so please bear with me:

 

Looking for a way to make the IVE not check the seconday password against an Auth Server when perfroming SSO.

 

IVE 7.04

Auth Server #1: Certificate Server

Auth Server #2: LDAP (password only)

Web Resrouce #1 has SSO policy configured to send <user> and <password2> to the login page.

 

Problem: The pasword on the LDAP server (auth server #2) and the password to the web resource are NOT the same.

 

I'm aware of the checkbox to disabe "End session if auth against server failes" - it allows me to enter any password (even if it's wrong password for the secondary server).

 

However - when this checkbox is checked - I'm indeed allowed to enter any password in the secondary login page BUT sso fails.

 

It is my understanding that while the IVE allows me to enter a wrong password on the secondary login page - it does check this password when I try to use SSO against a web resource.

 

I would like to be able to enter the password for the web resource in the secondary login page but have the IVE NOT check this passsword against the LDAP server.

In other words I need the IVE to blindly pass the password (<passowrd[2]>) blindly to the web resrouce.

 

Any advice or tips would be greatly appreciated.

 

Thanks in advnace,

Avner

Moderator
zanyterp
Posts: 2,263
Registered: ‎11-19-2007
0

Re: ISP like environment - enabling SSO w/ certificate server and LDAP (across domains)

Unfortunately, this is not possible: the password will always be checked for the secondary auth server....and the value is invalidated if it doesn't match.
Is using constrained delegation an option?
Does the site use POST for the SSO? If yes, you can set the password option to require users to enter it (value of users MUST modify; the default is users MAY NOT modify).
Regular Visitor
amihai
Posts: 7
Registered: ‎06-16-2009
0

Re: ISP like environment - enabling SSO w/ certificate server and LDAP (across domains)

Hi zanyterp,

 

Constrained Delegation just might be the answer.

 

Thank you so much for your response.

 

I will try and implement KCD and if succesful will mark your solution as accepted.

 

Your time and effort are greatly appreciated :smileyhappy:

 

Will update shortly.

 

Thanks!

Moderator
zanyterp
Posts: 2,263
Registered: ‎11-19-2007
0

Re: ISP like environment - enabling SSO w/ certificate server and LDAP (across domains)

Hi amihai,

 

You are welcome; glad to (try) and help. :smileyhappy:

Hope all is looking good.

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.