Welcome to Cool Solutions

Access Management Authentication Class Extension to Retrieve Password for Single Sign-on

• Introduction
• Installation
• Configuration
• User Store Configuration
• Troubleshooting

Introduction:

Did you ever have to do Single Sign-on to web applications and protect the reverse proxy with a contract that doesn't prompt for the user password (ex. X509, Radius, Kerberos, NMAS, ...)? Did the web application only support basic or form based authentication? Then you know that it can be a big challenge to retrieve the password to use it in a form or header. Because the password wasn't entered during the login process, there is no password cached in the LDAP credentials.

With this Authentication Class Extension this problem is solved! It is very easy to configure and also very secure, no additional passwords needs to be saved in clear text or on the file system. This Authentication Class Extension will work for Identity Injection AND for Form Fill.

After the user is successfully authenticated to the authentication method (X509, Radius, Kerberos, NMAS, ...), a second authentication method configured in the same contract will do all the work that you needed to do in the past. It will retrieve the user password directly from the User Store and it will add the user password to the LDAP credentials, so the only thing you have to do is use it in the Access Manager Policies.

Here's how the method works:

1. The first Authentication method will Identify a user in the User Store
2. This User is used for the PwLookupLogin class. If there is no user found, the error "No Authenticated User Found" is displayed to the user.
3. The system tries to make an Ldap connection to the first configured replica in the User Store. If this is not successful, it tries the next replica until all replicas are failed. If no connection could be established, the error "Ldap Connection Error" is showed to the user.
4. If there is a valid Ldap connection, the system looks for the property "useSimplePassword". If this property is available, we query for the users Simple Password, else we query for the users Universal Password.
5. If the password retrieval is successful, the password is added to the LDAP credentials and can be used for Form Fill or Identity Injection.
6. If the password retrieval was not successful, the system looks for the property "SSOshowError". If this property is available, the error "Single Sign-on Error" is displayed to the user. If the property is not available, authentication will continue but the password is not added to the LDAP credentials.

The process is shown in the diagram below.

Click to view.

Installation:

Get the BA Authentication modules here: http://www.novell.com/communities/node/2804

On the Identity server(s):

• Copy ba-idp-auth.jar and NMASToolkit.jar to /var/opt/novell/tomcat4/webapps/nidp/WEB-INF/lib
• Restart tomcat

Configuration:

You'll need to create a new Authentication Class.

• For the Java class choose other.
• For the Java class path type: com.novell.ba.idpauth.PwLookupLogin
• For the properties look to the table and the examples.

Click to view.

Click to view.

Then you need to create Authentication Methods & Contracts like described on http://www.novell.com/documentation/novellaccessmanager/adminguide/data/b1tvhkg.html
Be aware that when you define the Authentication Contract, the PwLookupLogin method should be placed after the Authentication Method you want to extend.

Click to view.

User Store Configuration:

There are some things that need to be done for the User Store that is configured in the first authentication method:

• The used User Store needs to be from the type eDirectory, and the User Store replicas need to use secure LDAP connections.
• The users need to have a Universal Password or a Simple Password Set.
• When you configure Universal Password, you need to give the user store bind user read privilege to the Universal Password. This can be done in "Passwords - Password Policies" in iManager.

Click to view.

For more information: http://www.novell.com/documentation/password_management32/index.html
If you have an older version of NMAS running in the user store, you can also use the option "Allow admin to retrieve passwords".

Troubleshooting:

For troubleshooting there is only one important thing you need to know:

If you enabled debug in the Properties tab, you need to use the following command in bash:
“tail -f /var/opt/novell/tomcat4/logs/catalina.out | grep BADEBUG”.
If you don't find any BADEBUG entries, check if the jar is present on the server and if the Authentication method has been setup correctly.
If you see these entries, they will tell what is going wrong.

UserPassword correctly added:
BADEBUG - PwLookupLogin v1.00
BADEBUG - UserName = CN=duvel, O=users
BADEBUG - Replica = 0
BADEBUG - ReplicaCount = 2
BADEBUG - BindURL = ldaps://10.0.0.10:636/
BADEBUG - BindUser = cn=AccManAccount,o=services
BADEBUG - BindPassword = ******
BADEBUG - ConnectLdap = OK
BADEBUG - UserPassword = *********
BADEBUG - UserPassword added to LDAPCredentials
BADEBUG - PwLookupLogin Success

In the next example the system is trying to connect to 3 replicas, the first replica is a clear text replica (not allowed), the second replica is an invalid ldap server, the third replica is successful.

BADEBUG - PwLookupLogin v1.00
BADEBUG - UserName = CN=duvel, O=users
BADEBUG - Replica = 0
BADEBUG - ReplicaCount = 5
BADEBUG - BindURL = ldap://10.0.0.11:389/
BADEBUG - BindUser = cn=AccManAccount,o=services
BADEBUG - BindPassword = ******
BADEBUG - ConnectLdap = javax.naming.CommunicationException: simple bind failed: 149.44.38.252:389 [Root exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?]
BADEBUG - Replica = 1
BADEBUG - ReplicaCount = 5
BADEBUG - BindURL = ldaps://10.0.0.10:636/
BADEBUG - BindUser = cn=AccManAccount,o=services
BADEBUG - BindPassword = ******
BADEBUG - ConnectLdap = javax.naming.CommunicationException: 149.44.38.254:636 [Root exception is java.net.NoRouteToHostException: No route to host]
BADEBUG - Replica = 2
BADEBUG - ReplicaCount = 5
BADEBUG - BindURL = ldaps://10.0.0.10:636/
BADEBUG - BindUser = cn=AccManAccount,o=services
BADEBUG - BindPassword = ******
BADEBUG - ConnectLdap = OK
BADEBUG - UserPassword = ******
BADEBUG - UserPassword added to LDAPCredentials
BADEBUG - PwLookupLogin Success

There is no Authentication method preceding the PwLookupLogin method:

BADEBUG - PwLookupLogin v1.00
BADEBUG - No Authenticated User Found
BADEBUG - PwLookupLogin Failed

Couldn't retrieve the Universal Password, check user store configuration:

BADEBUG - PwLookupLogin v1.00
BADEBUG - UserName = cn=duvel,o=users
BADEBUG - Replica = 0
BADEBUG - ReplicaCount = 1
BADEBUG - BindURL = ldaps://149.44.38.78:636/
BADEBUG - BindUser = cn=AccManAccount,o=services
BADEBUG - BindPassword = *********
BADEBUG - ConnectLdap = OK
BADEBUG - Get Universal Password Error = com.novell.security.nmas.mgmt.NMASPwdException
BADEBUG - UserPassword =
BADEBUG - PwLookupLogin Failed