?
Solved

How to pass Siteminder HTML Forms user/password information

Posted on 2005-03-11
10
Medium Priority
?
7,342 Views
Last Modified: 2012-08-14
I am using SiteMinder 5.5 on Windows 2000 platforms protecting IIS websites and would like to do the following:  I would like to find a way to dynamically pass User/Password information to the .fcc HTML Form security (if there is a better way, it doesn't _have_ to be this security settup).  Ideally, I would go to a preliminary page which would gather the credentials server side (because these are all internal people and will have been logged into our LAN already) and then pass them to the Form security and, without user interaction, let SiteMinder authenticate and authorize them just as if they had typed in their user/password.  I think this is similar to the following question:

http://www.experts-exchange.com/Security/Win_Security/Q_20451852.html

But it was closed by the author saying he found the solution, but he didn't post it. :(  Any examples would be greatly appreciated, although if you could point me in the right direction, that would be helpful, too! Thanks! :)

Steve
0
Comment
Question by:sgvill
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13521745
> .. just as if they had typed in their user/password
do you mean that of AD authentication for example?

How does your SiteMinder identify users/sessions? with Cookies?
0
 
LVL 4

Author Comment

by:sgvill
ID: 13523394
Yes, they will be logged into the LAN using AD.  I don't want to point SiteMinder to AD, though, because then i have to pay for every named user in AD, even though only a small subset need it. So, I'd like to gather the UserID from NT through an ASP page, and pass that to an .fcc page, for instance, automatically submitting the username with no password.  In the SQL directory server, I will have only the usernames of those who need siteminder, with no passwords.  Therefore, if someone is logged into the network, they will not have to log in again to SiteMinder, but will only be authenticated if they exist with the proper securities in the SiteMinder user directory.

I think that SiteMinder does use Cookies to store user/sessions.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 600 total points
ID: 13524304
>  I don't want to point SiteMinder to AD,
you need to install a SiteMinder Agent at AD (sorry don't know how to do that)
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 4

Author Comment

by:sgvill
ID: 13527502
Yes, I know how to do that (point it to AD), but thats not the solution i want.  I'd like to know how to go through an .asp script and then pass the user/password information to the .fcc file.  (or straight to siteminder) .

Steve
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13528057
sorry, no glue about .asp
but there should be a function to get usernames and credentials
0
 

Assisted Solution

by:oscarfg
oscarfg earned 600 total points
ID: 13546403
This question is not that similar to the one I posted several years ago.  However I have seen people use an ASP page that gathers user info from LDAP server or siteminder.  Once this information is gathered, using VBScript in the ASP page you can post to an FCC page with the gathered credentials.  I remember the layout but I don’t remember the code used to gather the credentials from LDAP.  When a user wanted to go to a page that was secure the user would click on a link and a second page would come up with a message stating that you are leaving the current site for a more secure site and to press OK to proceed.  This was the ASP page were all the code was located and when the user would hit OK it would post to an FCC page, if the credential were correct it would forward them to the right page, if they were not then they would get sent to an error page.  Hopefully this will help but I don’t remember the code that was used to get the info as I did not write it.  

Oscar
0
 
LVL 15

Accepted Solution

by:
WalkaboutTigger earned 800 total points
ID: 13571918
Global.asa snippet:

-----
      'FIND LOGIN NAME IN USER DB
      txtLogin = Request.ServerVariables("LOGON_USER")
      if instr(txtLogin, "\") <> 0 then
            loginArray = Split(txtLogin, "\")
            login = loginArray(1)
      end if
      
      'SEARCH USER DATABASE FOR LOGIN      
      dim adoCon
      dim rsUsers
      set adoCon = Server.CreateObject("ADODB.Connection")
      adoCon.Open dbUsersConnectionstring
      set rsUsers = Server.CreateObject("ADODB.Recordset")
      strSQL = "SELECT * FROM tblCompany WHERE Login = " & "'" & login & "'"
      rsUsers.Open strSQL, adoCon
      
      'CREATE SESSION VARIABLES
      if not rsUsers.EOF then
            session("sesFirstName") =  rsUsers("FirstName")
            session("sesLastName") =   rsUsers("LastName")
            session("sesLogin") =  rsUsers("Login")
            session("sesVariables") =  rsUsers("Variables")
            session("sesUserID") = rsUsers("ID")
            session("sesDepartment") = rsUsers("Department")
            session("sesEmail") = rsUsers("Email")
            session("sesSecurityCode") = rsUsers("SecurityCode")      
                              
      else
            'user not found? redirect to add user page
            response.redirect "newUser.asp?login=" & login      
      end if
      
      rsUsers.Close
      set rsUsers = Nothing
      adoCon.Close
      set adoCon = Nothing            
-----

I am presuming the IIS server the users are attaching to is in the same AD as the user and that IIS has integrated Windows authentication enabled.

I presume you are trying to do Single Sign-On (SSO) for this application to ease the users' pain while still protecting the integrity of the system to which "...only a few people..." need access without writing a huge check to CA for the AD named users' license fees and without making your environment overly complex.

There are several LDAP-centric ways you can do this without utilizing SiteMinder's LDAP interface.  You could, for example, create an XML or CSV file that contains the authorized users and compares the LOGON_USER to the entries in the list.  This requires some amount of administration (policies and procedures needed here) when users are added, changed or removed.

I hope this is somewhat helpful,

Walkabout
0
 
LVL 4

Author Comment

by:sgvill
ID: 13944399
I was finally able to solve my original question.

I used the following vbscript to load certain variables:

DIM sValue, sURL, sPass, sTarget, sReason
sValue = Request.ServerVariables("LOGON_USER")
sValue = mid(sValue,instr(1,sValue, "\") + 1,len(sValue)-instr(1,sValue,"\"))
sPass = "dummypassword"

sTarget = Request.QueryString.Item("TARGET")
sReason = Request.QueryString.Item("REASON")


Then I created a form as follows:

<FORM NAME=PWChange ACTION="login.fcc" METHOD=POST>
...
<input type=hidden name=user value="<%=sValue%>" >
<input type=hidden name=password value="<%=sPass%>">
<input type=submit value="Login">
<input type=hidden name=target value="<%=sTarget%>">
<input type="hidden" name=smauthreason value="<%=sReason%>">
....
</FORM>


The login.fcc is a standard login screen provided by SiteMinder in their samples directory.  The script above provides a button to press that submits it to login.fcc and authenticates.  I've also made it work by submitting the form on an "onload" event, so there is no user interaction at all.  

Thanks for all the ideas!

Steve
0
 

Expert Comment

by:tmjnsk
ID: 23234061
Hi Steve,

I am also looking for the same solution, with no user interaction, pass ID to fcc.
Can you please provide me the example. The above example have a login button. Does it need user interaction?
0
 

Expert Comment

by:tmjnsk
ID: 23234165
sorry..  got the solution


<html>
            <script >

function mthsubmit()
{
      document.PWChange.submit();
}
            </script>

<head>
</head>
<body onload="mthsubmit();">
      <FORM NAME=PWChange   ACTION="login.fcc" METHOD=POST>
      <input type=hidden name=user value="" >
      <input type=hidden name=password value="">
      <input type=submit value="Login">
      <input type=hidden name=target value="http://localhost/../default.aspx">
      <input type="hidden" name=smauthreason value="0">
</FORM>
</body>
</html>

0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question