Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How to pass Siteminder HTML Forms user/password information

Posted on 2005-03-11
10
Medium Priority
?
7,443 Views
Last Modified: 2012-08-14
I am using SiteMinder 5.5 on Windows 2000 platforms protecting IIS websites and would like to do the following:  I would like to find a way to dynamically pass User/Password information to the .fcc HTML Form security (if there is a better way, it doesn't _have_ to be this security settup).  Ideally, I would go to a preliminary page which would gather the credentials server side (because these are all internal people and will have been logged into our LAN already) and then pass them to the Form security and, without user interaction, let SiteMinder authenticate and authorize them just as if they had typed in their user/password.  I think this is similar to the following question:

http://www.experts-exchange.com/Security/Win_Security/Q_20451852.html

But it was closed by the author saying he found the solution, but he didn't post it. :(  Any examples would be greatly appreciated, although if you could point me in the right direction, that would be helpful, too! Thanks! :)

Steve
0
Comment
Question by:sgvill
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13521745
> .. just as if they had typed in their user/password
do you mean that of AD authentication for example?

How does your SiteMinder identify users/sessions? with Cookies?
0
 
LVL 4

Author Comment

by:sgvill
ID: 13523394
Yes, they will be logged into the LAN using AD.  I don't want to point SiteMinder to AD, though, because then i have to pay for every named user in AD, even though only a small subset need it. So, I'd like to gather the UserID from NT through an ASP page, and pass that to an .fcc page, for instance, automatically submitting the username with no password.  In the SQL directory server, I will have only the usernames of those who need siteminder, with no passwords.  Therefore, if someone is logged into the network, they will not have to log in again to SiteMinder, but will only be authenticated if they exist with the proper securities in the SiteMinder user directory.

I think that SiteMinder does use Cookies to store user/sessions.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 600 total points
ID: 13524304
>  I don't want to point SiteMinder to AD,
you need to install a SiteMinder Agent at AD (sorry don't know how to do that)
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 4

Author Comment

by:sgvill
ID: 13527502
Yes, I know how to do that (point it to AD), but thats not the solution i want.  I'd like to know how to go through an .asp script and then pass the user/password information to the .fcc file.  (or straight to siteminder) .

Steve
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13528057
sorry, no glue about .asp
but there should be a function to get usernames and credentials
0
 

Assisted Solution

by:oscarfg
oscarfg earned 600 total points
ID: 13546403
This question is not that similar to the one I posted several years ago.  However I have seen people use an ASP page that gathers user info from LDAP server or siteminder.  Once this information is gathered, using VBScript in the ASP page you can post to an FCC page with the gathered credentials.  I remember the layout but I don’t remember the code used to gather the credentials from LDAP.  When a user wanted to go to a page that was secure the user would click on a link and a second page would come up with a message stating that you are leaving the current site for a more secure site and to press OK to proceed.  This was the ASP page were all the code was located and when the user would hit OK it would post to an FCC page, if the credential were correct it would forward them to the right page, if they were not then they would get sent to an error page.  Hopefully this will help but I don’t remember the code that was used to get the info as I did not write it.  

Oscar
0
 
LVL 15

Accepted Solution

by:
WalkaboutTigger earned 800 total points
ID: 13571918
Global.asa snippet:

-----
      'FIND LOGIN NAME IN USER DB
      txtLogin = Request.ServerVariables("LOGON_USER")
      if instr(txtLogin, "\") <> 0 then
            loginArray = Split(txtLogin, "\")
            login = loginArray(1)
      end if
      
      'SEARCH USER DATABASE FOR LOGIN      
      dim adoCon
      dim rsUsers
      set adoCon = Server.CreateObject("ADODB.Connection")
      adoCon.Open dbUsersConnectionstring
      set rsUsers = Server.CreateObject("ADODB.Recordset")
      strSQL = "SELECT * FROM tblCompany WHERE Login = " & "'" & login & "'"
      rsUsers.Open strSQL, adoCon
      
      'CREATE SESSION VARIABLES
      if not rsUsers.EOF then
            session("sesFirstName") =  rsUsers("FirstName")
            session("sesLastName") =   rsUsers("LastName")
            session("sesLogin") =  rsUsers("Login")
            session("sesVariables") =  rsUsers("Variables")
            session("sesUserID") = rsUsers("ID")
            session("sesDepartment") = rsUsers("Department")
            session("sesEmail") = rsUsers("Email")
            session("sesSecurityCode") = rsUsers("SecurityCode")      
                              
      else
            'user not found? redirect to add user page
            response.redirect "newUser.asp?login=" & login      
      end if
      
      rsUsers.Close
      set rsUsers = Nothing
      adoCon.Close
      set adoCon = Nothing            
-----

I am presuming the IIS server the users are attaching to is in the same AD as the user and that IIS has integrated Windows authentication enabled.

I presume you are trying to do Single Sign-On (SSO) for this application to ease the users' pain while still protecting the integrity of the system to which "...only a few people..." need access without writing a huge check to CA for the AD named users' license fees and without making your environment overly complex.

There are several LDAP-centric ways you can do this without utilizing SiteMinder's LDAP interface.  You could, for example, create an XML or CSV file that contains the authorized users and compares the LOGON_USER to the entries in the list.  This requires some amount of administration (policies and procedures needed here) when users are added, changed or removed.

I hope this is somewhat helpful,

Walkabout
0
 
LVL 4

Author Comment

by:sgvill
ID: 13944399
I was finally able to solve my original question.

I used the following vbscript to load certain variables:

DIM sValue, sURL, sPass, sTarget, sReason
sValue = Request.ServerVariables("LOGON_USER")
sValue = mid(sValue,instr(1,sValue, "\") + 1,len(sValue)-instr(1,sValue,"\"))
sPass = "dummypassword"

sTarget = Request.QueryString.Item("TARGET")
sReason = Request.QueryString.Item("REASON")


Then I created a form as follows:

<FORM NAME=PWChange ACTION="login.fcc" METHOD=POST>
...
<input type=hidden name=user value="<%=sValue%>" >
<input type=hidden name=password value="<%=sPass%>">
<input type=submit value="Login">
<input type=hidden name=target value="<%=sTarget%>">
<input type="hidden" name=smauthreason value="<%=sReason%>">
....
</FORM>


The login.fcc is a standard login screen provided by SiteMinder in their samples directory.  The script above provides a button to press that submits it to login.fcc and authenticates.  I've also made it work by submitting the form on an "onload" event, so there is no user interaction at all.  

Thanks for all the ideas!

Steve
0
 

Expert Comment

by:tmjnsk
ID: 23234061
Hi Steve,

I am also looking for the same solution, with no user interaction, pass ID to fcc.
Can you please provide me the example. The above example have a login button. Does it need user interaction?
0
 

Expert Comment

by:tmjnsk
ID: 23234165
sorry..  got the solution


<html>
            <script >

function mthsubmit()
{
      document.PWChange.submit();
}
            </script>

<head>
</head>
<body onload="mthsubmit();">
      <FORM NAME=PWChange   ACTION="login.fcc" METHOD=POST>
      <input type=hidden name=user value="" >
      <input type=hidden name=password value="">
      <input type=submit value="Login">
      <input type=hidden name=target value="http://localhost/../default.aspx">
      <input type="hidden" name=smauthreason value="0">
</FORM>
</body>
</html>

0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Although free tools can be helpful to a limited extent, it’s better to stick to paid versions for business use.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question