Legacy Password Authentication

From iDENprotect Knowledge Base
Jump to: navigation, search


Introduction

At iDENprotect we try and deliver passwordless authentication. However there may be some legacy applications that still require the presenting of a password for authentication, ie via an HTML form that contains username and password fields.

This article describes how to integrate the iDENprotect Authentication to Web Applications that require this for of authentication.


Gathering Requirements

The first stage is to determine the information the Web Application requires to be presented for authentication. This can be done my examining the authentication page that the web application presents.

For example we can see that this login form requires three fields

Username : The users username

Password : The user password

Realm  : With a value of "Admin Users"

PulseAdminLoginPage.png

We can also see that the login form has an action of login.cgi

<form id="frmLogin_4" name="frmLogin" action="login.cgi" method="POST" autocomplete="off" onsubmit="return Login(1)">


This is all the information we need to allow the Authentication Portal to recreate this login form on behalf of the user.

Configuring IDP

Using the information above the entry for the Web Service needs to be added to the IDP service configuration. The ACS is the key one but the same value can be used for the entityID and SSO Url.

PulseAdminConffig.png


In this example the url of the login page was https://pulse.idenprotect.net/dana-na/auth/url_admin/welcome.cgi and the form action was login.cgi. So this means the ACS setting is

https://pulse.idenprotect.net/dana-na/auth/url_admin/login.cgi

It is to this url that the completed login form will be posted

Mapping Username and Password

By default the Authentication Portal will map the user's username and password to fields called username and password in the log-in form.

So in the example above with the Pulse Admin login form no additional mapping is required.

However it is possible to map other other values to other fields in the login form should that be required.

For example if the login form required the users sAMAccountName in a field called "authUserName" then this can be achieved as follows.

First create an LDAP attributes to map this value on the LDAP-> Extra Parameters config

LDAP PARAMETER FRIENDLY NAME LDAP PARAMETER
Pulse Account Name sAMAaccountName


Then on the IDP Service Providers create the mapping to populate the form accordingly

SAMl ATTRIBUTE LDAP PARAMETER FRIENDLY NAME
authUserName Pulse Account Name

Mapping Extra Fields

Some login forms will require extra fields beyond username and password. In our example a field called "realm" is required with a value of "Admin Users".

This field will be the same for all users.

To ensure that this field is included we need to create a mapping as follows.


On the IDP Service Providers create the mapping to populate the form accordingly

SAMl ATTRIBUTE LDAP PARAMETER FRIENDLY NAME
realm "Admin Users"

The fact that "Admin Users" is in inverted commas ensures that this literal value is used, rather than mapping this to a parameter called Admin Users.

Testing

With the parameters set up and with an account that has rights to access the service provider a user should be able to authenticate to the Authentication Portal then click on the Service Provider they wish to access.

The user should be redirected and automatically authenticated to that service provider.

Note that this form of Authentication does not support Service Provider Authentication unless the Service provider can be configured to redirect the user to the Authentication portal