Forms single sign-on learning flow

We can configure WebSEAL to learn our user name and password information so that future requests to the same junctioned resource will not prompt you for authentication.

Use the login-credential-learning stanza entry to enable the forms single sign-on learning function. Define what is a successful authentication with the login-success-pattern stanza entry.

A credential learning flow

In a successful learning flow, WebSEAL learns our user name and password information for a particular junctioned resource after you manually enter it for the first time. In future requests to the same junctioned resource, you will not be prompted for authentication as WebSEAL automatically provides such info.

1. Client browser requests the page:
   https://webseal/formsso/content.html

2. WebSEAL passes the request to the junction.
3. Because the back-end application requires the user to authenticate, a redirect to the application's login page (login.html) is sent back across the junction.

4. WebSEAL passes the redirect to the browser.
5. The browser follows the redirect and requests:
   https://webseal/formsso/login.html

6. WebSEAL is configured for forms single sign-on (-S option on the junction) with credential learning enabled. WebSEAL recognizes the request as a request for a login page, which is based on information in the forms SSO configuration file. The request is passed to the junction. WebSEAL saves all cookies that are sent by the browser for use in step 8.
7. The application returns the login page and application-specific cookies.

8. WebSEAL parses the HTML returned to identify the login form. WebSEAL detects the GSO resources associated with this junction. If WebSEAL cannot find a credential for the current user, it returns the response to the user.
9. The user populates this form and submits it.

10. WebSEAL inspects the request and extracts the credential information from the POST data.
11. The request is then sent to the backing application.
12. The application authenticates the user with the authentication data that is supplied by WebSEAL in the form.
13. The response is examined by WebSEAL. If the response is successful, the extracted credentials are persisted to the GSO vault. WebSEAL combines any cookies that are saved from the responses and returns these cookies with the redirect to the browser. If the response is unsuccessful, WebSEAL disregards the credential and returns the response to the user. This process completes the forms single sign-on credential learning function.

14. In the case of a successful authentication, the browser follows the redirect and requests:
    https://webseal/formsso/content.html

15. WebSEAL passes the request to the back-end application across the junction.

A credential re-learning flow

There are several cases where the learning feature might need to re-learn a set of credentials. The primary cases are:

• The password is reset by some out-of-band method. For example, the user is emailed a new password or password reset link.
• The user changes the password through a form. For example, the user is required by the system to change the password upon authentication.

1. Client browser requests the page:
   https://webseal/formsso/content.html

2. WebSEAL passes the request to the junction.
3. Because the back-end application requires the user to authenticate, a redirect to the application's login page (login.html) is sent back across the junction.

4. WebSEAL passes the redirect to the browser.
5. The browser follows the redirect and requests:
   https://webseal/formsso/login.html

6. WebSEAL is configured for forms single sign-on (-S option on the junction) with credential learning enabled. WebSEAL recognizes the request as a request for a login page, which is based on information in the forms SSO configuration file. The request is passed to the junction. WebSEAL saves all cookies that are sent by the browser for use in step 8.
7. The application returns the login page and application-specific cookies.

8. WebSEAL parses the HTML returned to identify the login form.

9. WebSEAL detects the GSO resources associated with this junction and finds a credential for the current user. WebSEAL generates the authentication request (completes the login form) and sends it to the back-end application.
10. The authentication fails due to incorrect credentials.

11. WebSEAL determines the response does not satisfy any of the login success rules configured with the login-success-pattern stanza entry. WebSEAL returns the login page to the client.
12. The user populates this login form and submits it.

13. WebSEAL inspects the request and extracts the credential information from the POST data.
14. The request is then sent to the back-end application.
15. The application authenticates the user with the authentication data that is supplied by WebSEAL in the form. The authentication succeeds. The application returns a redirect to content.html.

16. WebSEAL examines the response and detects the response is successful. It updates the user's credential in the GSO vault with the extracted credential information. It also combines any cookies that were contained in the responses and returns these cookies with the redirect to the browser. This process completes the forms single sign-on credential learning function.
17. The browser follows the redirect and requests:
    https://webseal/formsso/content.html

18. WebSEAL passes the request to the back-end application across the junction.

Example configuration

[forms-sso-login-pages]
login-page-stanza = myApp
# If this is a learning junction.
login-credential-learning = true

[myApp]
login-page = /login.jsp
#Successful login is a 302, failure is a 200
login-success-pattern = -200 +302 [location:*/landingPage]
login-form-action = /j_security_check
gso-resource = myGso
argument-stanza = myApp-arguments

[myApp-arguments]
j_username=gso:username
j_password=gso:password

Parent topic: Forms single sign-on concepts