Forum Discussion
tiwang
Nimbostratus
NimbostratusSSO for webserver
Hi out there
I need an idea how I can awoid my users in cheating me.
I have a SSO setup where I through a client initiated webform do a SSO login to a webserver. After this the APM j...
Kevin_Stewart
Employee
EmployeeHere are some things you should reevaluate in your form-based SSO:
For Detection: this is the section that defines what the policy is looking for. You're currently looking for a referer header that points back to "/my.policy", which certainly *may* work, but only doing initial policy evaluation (when the redirects happen). What you probably need though is to define the object itself. You said earlier that the form was on the logon form was on the "/default.htm" page, and that this page is only accessed when a user needs to logon. I would then suggest switching from Header to URI in the Form Detection settings and use this URI. If, by chance, this page has multiple forms, you can use the Form Detection section to find the specific form.
Logon Detection: this is the section that defines what the policy looks for to indicate a good logon. You have nothing assigned here. I would recommend opening a Fiddler session and watching (connected directly to the application around the APM) what the application does AFTER a successful logon. It may either redirect to another URI or present a cookie. You can define either case in this section.
From that point on, SSO is perpetual. If the user requests (or is redirected to) the defined logon page, APM will automatically inject the credentials. Users should NEVER be able to access the application's logon form again.
