on 01-Aug-2018 04:00
A customer recently reached out requesting assistance providing smart card authentication to an application that does not integrate with AD or LDAP and has only a single username and password. While many of you out there may have done this in the past, I for one had not and of course I too was curious how I could make such a solution work. So with that, let's get to it.
In order to successfully deploy this solution, please configure the following prerequisites.
Note: This CA cert or bundle will contain all CA certs which issued the client certificates you will be authenticating with.
In this scenario I used Firefox though your favorite browser can also be used. This data will be used to configure our SSO profile.
To make it easy to identify the form I simply clicked in the USERNAME or PASSWORD in fields in the web page and Inspector took me to that content.
After you click Create, the page will refresh and at the bottom of the screen you will then see an option to create Resource Items
Note: Unsecure or Secure specifies whether the variable is secure. A secure variable is stored in encrypted form in the session database. The value of a secure variable is not displayed in the session report, or logged by the logging agent.
set x509e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"]; # For each element in the list: foreach field $x509e_fields { # If the element contains UPN: if { $field contains "othername:UPN" } { ## set start of UPN variable set start [expr {[string first "<" $field] +1}] # UPN format is # Return the UPN, by finding the index of opening and closing brackets, then use string range to get everything between. return [string range $field $start [expr { [string first ">" $field $start] - 1 } ] ]; } } # Otherwise return UPN Not Found: return "UPN-NOT-FOUND";
Note: sAMAccountName is not required for successful authentication as it is when performing Kerberos KCD though it can be useful to know who is logging in by name versus a long string of characters.
At this point, you have a fully deployed VPE capable of supporting smart card authentication and have statically created a username and password that will be included in your HTTP Post to the web application.
At this point, we have successfully configured all components required to support this use case so let's attempt access.
In my first attempt I actually was not successful and received no logon error. This is likely one of 2 things, either I did not assign my SSO profile or the Start URI is incorrect. Let's validate
Ahhh, now I see! Human error of course. I typed the Start URI incorrectly so, no there was no uri match.
After modifying the Start URI to the correct URI, I am now able to successfully login using the SSO configuration in this guide.
I am by no means saying this will be a common configuration though it is a use case that I have seen in the field more than once. As always, if it helps at least one of you out there it was well worth it. Until next time.