Single sign on (SSO) support
In IPS Reference Guide (http://docs.iplanet.com/docs/manuals/portal/30/progref/signon.htm), there is this statement: <strong>"A system administrator can also pre populate URLs in the Profile database"</strong>. It appears in the context of how to pass along user authentication information (namely, password), e.g. "(The gateway) monitors user logins, then writes the URL and encrypted authentication information to the Profile Server."
I wonder how EXACTLY an admin can "pre populate URLs", (encrypted? if so, how?, etc.) Any example, please?
Thanks,
Bing
[601 byte] By [
708973] at [2007-11-25 4:40:45]
What this means is there are two special cases where the single sign on is automatically handled by the gateway.
For http basic authentication when you login for the first time, the gateway monitors the users logins, then writes the URL and encrypted authentication information
to the Profile Server. So when he logins for the next time he retrives that information from the profile and automatically logs him to the servers.
This encrypted authentication information is written to the profile of each user.
This can be pre populated.
Check the iwtUser.xml that contains the exact attribute name that stores these url's.
Hi Karthik,I read your below post and am still unable to figure out how to prepopulate the URL with the Auth info? I went thru' the XML, but was of no use.can you give more information..Thanks
The passwords are stored are encrypted and I believe in the format something like Authenticate:encrypted username password or Authenticate username and passwprd, I don't remember a 100 % from the top of my head. I wil check and let you know.
One way to get the format would be to Login into your portal through the gateway and then access your portal web server admin console like
https://gateway/http://webserver:port, this should prompt you for authentication, if you have http basic authentication enabled it will store your username and password locally in ur profile as the web server admin console uses basic auth.
When http basic authentication is enabled in gateway configuration, gateways store login/password in the profile server in attribute "iwtUser-WWW-Authorization-at".
There is NO encryption, it is just Base64 encoded.
It is also persistent in LDAP database.
It also covers anonymous account, so anyone using this account and browsing http-basic-auth protected web sites, providing is login&password, will allow anyone else using the same account to enter these protected sites with his account... nice, isn't it ?
And there's more : It might be far from impossible to hack the LDAP database and access all profile data, because there is only one login/password to access the whole database, provided when installing the product, and stored in /etc/opt/SUNWips/properties.file with no encryption. Notice that the file is readable only by root.
I consider It is definitily too weak to be trusted, so I deactivated it in our corporate portal.
Hope it will be seriously managed with iPS 6.
Michael ZILBERMANN
PSA Corporate Portal Technical Designer
