Form-based authentication
To enable Single Sign-On forms authentication to a back-end application, the Access Manager administrator must perform two tasks. Firstly, a configuration file must be created defining to WebSEAL how to identify a login form when it is received from the back-end application and which fields in the backend server form are relevant for the authentication. Secondly, a junction must be created to the back-end Web server using the -s option, which specifies the location of the configuration file. Once this is completed, WebSEAL will provide login support for Access Manager users to the back-end WebSphere application.
For further information about enabling single-sign on forms authentication, refer to the Access Manager for e-business WebSEAL Administrators Guide.
Create the form based authentication configuration file
The purpose of the configuration file for Single Sign-On forms authentication is to define the following to WebSEAL:
- A pattern which WebSEAL can use to identify the URI which indicates a request to the back-end application for a login form.
- A pattern which WebSEAL can use to identify the login form with a page returned from the back-end application.
- A list of fields within the login form which WebSEAL is to provide the values for, and where these values are to be obtained.
The following example is the source for a sample login page for the ITSOBank sample application.
<form method="post" action="/itsobank/j_security_check"> <table width="80%"> <tr> <td width="20%" align="right">Userid:</td> <td><input size="20" type="text" name="j_username" maxlength="25"></td> </tr> <tr> <td align="right">Password:</td> <td><input size="20" type="password" name="j_password" maxlength="25"></td> </tr> <tr> <td></td> <td> <input type="submit" name="action" value="Login"> <input type="reset" name="reset" value="Clear"> </td> </tr> </table> </form>In our form, there are two input fields, j_username and j_password. These are the two fields which WebSEAL will need to fill in. The following example shows the Single Sign-On forms configuration file.
[forms-sso-login-pages] login-page-stanza = login-itsobank [login-itsobank] login-page = /itsobank/login/login.html login-form-action = * gso-resource = argument-stanza = args-for-login-itsobank [args-for-login-itsobank] j_username = cred:azn_cred_authzn_id j_password = string:testIn this example, we have configured one login form page, login-itsobank. The URI for the login form is /itsobank/login/login.html. This entry defines the URI that should be intercepted by WebSEAL. When a request is received for this URI, WebSEAL will intercept the form, and will return to our ITSOBank application the user ID defined for this Access Manager user and the fixed password test.
The forms configuration also allows to use GSO resources, although we did not use it in this example. The users could be easily created in the backend systems with the same password or no-password if the infrastructure and WebSEAL provide a secure environment. This sample is similar to the -b supply option discussed earlier. To create the junction, follow the steps below:
- Create the file itsobank.fsso.conf in the <WebSEAL_Install_dir>/etc directory. Ensure that the file is readable by the ivmgr user.
- On the Access Manager server launch pdadmin and log on as sec_master.
- Find the WebSEAL server we are going to use:
pdadmin sec_master> server list default-webseald-m10d9ffd ba-webseald-m10d9ffd forms-webseald-m10d9ffd- In this case we will use the server ba-webseald-m10d9ffd which listens on IP:port 9.42.171.81:444 on HTTPS and is configured to use Basic Authentication. We will create a junction to the WebSphere Application Server which listens on IP:port 9.42.171.85:9082 on HTTP. The junction will use the -s option to indicate the forms Single Sign-On file. Enter the following command:
pdadmin sec_master> server task ba-webseald-m10d9ffd create -t tcp -h 9.42.171.85 -p 9082 -f -S /opt/pdweb/etc/itsobank.fsso.conf /ITSOBankTo test the junction, access the WebSEAL server, the ITSOBank junction and the protected resource /itsobank/transfer/customertransfer.html in.