Form Based Single Sign on configuration in TAM

Form Based Single Sign on configuration in TAM :-

Forms Single Sign On:

1. The back-end application is unaware that the login form is not

coming directly from the user

2. WebSEAL supplies data required by the login form and submits the

login form on behalf of the user.

3. WebSEAL saves and restores all cookies and headers.

4. The user is unaware that a second login is taking place.

5. The back-end application is unaware that the login form is not

coming directly from the user.

TAM provides a by default fsso(Forms Single Sign On) configuration template file.

Location of Template conf file:

Unix

/opt/pdweb/etc/fsso.conf.template

Windows:

C:\Program Files\Tivoli\PDWeb\etc\fsso.conf.template

The fsso.conf file is created according to the Backend login.form.

Configuration:fsso.conf

[forms-sso-login-pages] stanza

1.The forms single signon configuration file must always begin with

the [forms-sso-login-pages] stanza.

2.The stanza contains one or more login-page-stanza entries that

point to other custom-named stanzas that contain configuration

information for the login pages found on the back-end application

server

 For example:

 [forms-sso-login-pages]

 login-page-stanza=tds

Custom login page stanza

1.For each value defined in [forms-sso-login-pages] results in

Creation of customized stanza used to intercept a particular URL

pattern.

Example:

 login-page = /IDSWebApp/IDSjsp/Login.jsp

 login-form-action = IDSWebApp/IDSHome

 gso-resource = TDS_GSO

 argument-stanze = args-for-tds-login-page.

Custom login page stanza: login-page

1.The value of the login-page stanza entry is a regular expression

that WebSEAL uses to determine if an incoming request is

actually a request for a login page

2.WebSEAL intercepts this request and begins the forms single

signon processing

3. Only one login-page stanza entry is allowed in each custom

login page stanza

Example:

 login-page = /cgi-bin/getloginpage*

Custom login page stanza:login-form-action

1.This stanza entry is used to identify the login form on the

intercepted page

2.Only one login-form-action stanza entry is allowed in each stanza

3.The value is a regular expression that is compared against the

contents of the "action" attribute of the HTML "form" tag

4. If multiple "action" attributes on the page match the regular

expression, only the first match is accepted as the login form

login-form-action = *

Argument Stanza

1. The custom argument stanza contains one or more entries in the

following form: name = method:value

2.name

 The value of the name variable is set to equal the value of the

"name" attribute of the HTML "input" tag. For example:

 <input name=uid type=text>Username</input>

3.This variable can also use the value of the "name" attribute of

the HTML "select" or "textarea" tags.

method:value

4.This combination retrieves the authentication data required by

the form. The authentication data can include:

5. Literal string data

 string:text

 The input used is the text string.

6. Value of an attribute in the user's credential

 cred:cred-ext-attr-name

method:value

7.GSO user name and password

 gso:username

 gso:password

The input is the current user's GSO username and password

(from the target specified in the custom login page stanza).

8. It is not necessary to specify hidden input fields in this stanza.

These fields are automatically retrieved from the HTML form and

submitted with the authentication request.

Example A:

 [args-for-tds-login-page]

 idsuserid = gso:username

 idspasswd = gso:password

Example B:

 [args-for-tds-login-page]

 idsuserdn = cred:azn_cred_principal_name

 idsuserpwd = string:Passw0rd

To enable FSSO create junction with –S option and Specify the

full path of the fsso.conf file

 Example:

server task default-webseald-tam create –t tcp –h tam –p 9080 -b

gso –T TDS_GSO –S /opt/pdweb/etc/tds_fsso.conf –i

/tds_gso_junct

 * tds_fsso_conf – is the conf file

 * TDS_GSO is the GSO resource

 * /tds_gso_junct is the junction name.

Configure your user for the GSO and give the GSO creds to be used for IDSWebApp.

With this your IDSWebApp url is configured for fsso(Forms Single Sign On).

Access the url and webseal login page will pop up enter the creds and you should be automatically logged in to IDSWebApp.