Handling SSO Failures due to Link Identification Text Mismatches
Novell Cool Solutions: Feature
By Girish Mutt
Digg This -
Posted: 4 Nov 2005
Novell SecureLogin is basically a Single-Sign On (SSO) technology that eliminates the need for Windows users to remember usernames and passwords for the various applications they use, after initial login. The usernames and passwords are stored and automatically entered into the corresponding fields when the Windows/Java/Web and other applications are launched. Thus, users will be asked to enter their usernames and passwords for various applications only when they use that application for the first time. As security is an important aspect, users will have the option of using various directories to store their data in an encrypted form.
By far, Novell SecureLogin is the most versatile Single Sign-On product. It provides interoperability not only with Novell eDirectory as a back-end directory server, but also with other directory servers such as Active Directory and other LDAP-compliant servers.
One of the major uses of Novell SecureLogin is providing SSO functionality to Web applications with or without optional fields. By default, NSL provides a set of Web applications for which pre-configured scripts exist. As soon as you launch these Web applications, a message box indicates that a pre-built script exists for that Web application. Then you can provide the username and password in the NSL message box, which will be used by the pre-built script.
Most web applications do not have these pre-built scripts. In such cases, you need to configure the web applications manually to be able to enable SSO. For most login pages in a particular site, as soon as you enter the user name and password and click "login," a message box asks you to save the details for that particular page or for all the pages in that site.
Web Link Identification Text
(Note: In most of the places the term "link identification text" is used, this simply refers to the various URL links of a site.)
Choosing to save all the pages in the site does not mean that SSO will work for all the pages in that site. This is because NSL has stored the SSO credentials for a particular web page with link identification text. That enables it to work for all pages in that site that have the same link identification text as part of the URL, and they will be saved as a script.
In most web sites, access to services is based on the single user ID and password. But one common problem from the SSO point of view is that the identification text varies a lot from link to link.
For example, assume that you want to have SSO for all the links of site www.indiatimes.com, which provides access to all the services based on the single user id and password. So when you save the SSO credentials for all the pages of the site, it uses link identification text, such as in.indiatimes.com. This works for all links in the web site with "in.indiatimes.com" as the link text. If any links in this site are different, such as economictimes.indiatimes.com, or chat.indiatimes.com, the SSO script will not work - these links don't have "in.indiatimes.com" as the link text. The existing script, which should have worked with all the links in the www.indiatimes.com site, won't work.
If you choose SSO for all the pages in that site, it will provide those credentials to all those pages, if the link contains the same identification text as that of the saved script. In such situations, you need to find the identification text that appears in all the pages of that site and save it as part of the default script of that site.
This problem can be easily overcome by changing the link identification text that is used to identify the various pages of the site. This can be done during the initial phase of saving SSO credentials for all the pages of the site. Below are the steps to follow. It is assumed we want SSO for all the links of the site www.indiatimes.com, which uses the same user ID and password for all the services offered in the site.
1. Enter the credentials to access the e-mail services of the site. Go to www.indiatimes.com ,enter the login user ID and password on that page to access the email services, and click Sign In. NSL will identify that it needs to save the credentials for this page and asks you whether to save the credentials for this page or all the pages in the site.
Here we want to save the credentials for all the pages of the site at once, such as economictimes.indiatimes.com ,chat.indiatimes.com. By default, NSL will use the in.indiatimes.com link as the identification text, but as we know, all links in this site don't have in.indiatimes.com as part of the link. SSO will happen only in those links that have in.indiatimes.com; for others, it fails.
2. Find the identification text that exists in all the links of the site. In this case, that common identification text is "indiatimes.com".
3. Since this site doesn't have a pre-built script, you need to configure SSO manually for this site. At the www.indiatimes.com site, enter the credentials to access the services. NSL will identify the web page and ask you whether you want to store SSO information for this page or all the pages in this site, as shown in Figure 1:
Figure 1 - Default URL used by NSL for providing SSO to all the pages in the www.indiatimes.com site
Note: Other options, such as URL, Username, and Password can be accessed by clicking Details in the NSL prompt.4. When NSL prompts you to save the SSO credentials, go to the URL and delete the "in" from in.indiatimes.com, because the common identification text that exists in all the links of this site is "indiatimes.com".
5. After removing the "in" text, click Yes to save the credentials.
Figure 2 - Modifying of the default link identification text for SSO at the site www.indiatimes.com
After you modify your link identification text and save the credentials, you will have SSO for all the pages of the www.indiatimes.com site.
This same procedure can be used to solve SSO failure for all the pages of a site due to changes in the link text.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com