Access Management Authentication Class Extension to Retrieve Password for Single Sign-on



By: BAndries

April 8, 2008 4:07 pm

Reads: 413

Comments:26

Rating:0

NEW: Support for Novell Access Manager 3.1
NEW: External Authentication Support (like SAML)
NEW: Select User Store to Retrieve Password From (Kerberos tip)

Introduction:

Did you ever have to do Single Sign-on to web applications and protect the reverse proxy with a contract that doesn’t prompt for the user password (ex. X509, Radius, Kerberos, NMAS, …)? Did the web application only support basic or form based authentication? Then you know that it can be a big challenge to retrieve the password to use it in a form or header. Because the password wasn’t entered during the login process, there is no password cached in the LDAP credentials.

With this Authentication Class Extension this problem is solved! It is very easy to configure and also very secure, no additional passwords needs to be saved in clear text or on the file system. This Authentication Class Extension will work for Identity Injection AND for Form Fill.

After the user is successfully authenticated to the authentication method (X509, Radius, Kerberos, NMAS, …), a second authentication method configured in the same contract will do all the work that you needed to do in the past. It will retrieve the user password directly from the User Store and it will add the user password to the LDAP credentials, so the only thing you have to do is use it in the Access Manager Policies.

Here’s how the method works:

  1. The first Authentication method will Identify a user in the User Store
  2. This User is used for the PwLookupLogin class. If there is no user found, the error “No Authenticated User Found” is displayed to the user.
  3. The system tries to make an Ldap connection to the first configured replica in the User Store. If this is not successful, it tries the next replica until all replicas are failed. If no connection could be established, the error “Ldap Connection Error” is showed to the user.
  4. If there is a valid Ldap connection, the system looks for the property “useSimplePassword”. If this property is available, we query for the users Simple Password, else we query for the users Universal Password.
  5. If the password retrieval is successful, the password is added to the LDAP credentials and can be used for Form Fill or Identity Injection.
  6. If the password retrieval was not successful, the system looks for the property “SSOshowError”. If this property is available, the error “Single Sign-on Error” is displayed to the user. If the property is not available, authentication will continue but the password is not added to the LDAP credentials.

The process is shown in the diagram below.

Installation:

Get the BA Authentication modules here: http://www.novell.com/communities/node/2804

On the Identity server(s):

  • Copy ba-idp-auth.jar and NMASToolkit.jar to /var/opt/novell/tomcat4/webapps/nidp/WEB-INF/lib
  • Restart tomcat

Configuration:

You’ll need to create a new Authentication Class.

  • For the Java class choose other.
  • For the Java class path type: com.novell.ba.idpauth.PwLookupLogin
  • For the properties look to the table and the examples.
Property Name Default Value Description
useSimplePassword n/a If this property is present and not null, we’ll try to retrieve the Simple Password instead of the Universal Password.

ex: on

SSOshowError n/a If this property is present and not null, and when the system couldn’t retrieve the password, the error jsp is displayed with the message “Single Sign-on Error”. If this property is absent, authentication will continue but no password will be stored in the LDAP credentials.

ex: on

debug n/a If this property is present and not null, debug is enabled.

ex: on

Then you need to create Authentication Methods & Contracts like described on http://www.novell.com/documentation/novellaccessmanager/adminguide/data/b1tvhkg.html
Be aware that when you define the Authentication Contract, the PwLookupLogin method should be placed after the Authentication Method you want to extend.

User Store Configuration:

There are some things that need to be done for the User Store that is configured in the first authentication method:

  • The used User Store needs to be from the type eDirectory, and the User Store replicas need to use secure LDAP connections.
  • The users need to have a Universal Password or a Simple Password Set.
  • When you configure Universal Password, you need to give the user store bind user read privilege to the Universal Password. This can be done in “Passwords – Password Policies” in iManager.

For more information: http://www.novell.com/documentation/password_management32/index.html
If you have an older version of NMAS running in the user store, you can also use the option “Allow admin to retrieve passwords”.

Troubleshooting:

For troubleshooting there is only one important thing you need to know:

If you enabled debug in the Properties tab, you need to use the following command in bash:
“tail -f /var/opt/novell/tomcat4/logs/catalina.out | grep BADEBUG”.
If you don’t find any BADEBUG entries, check if the jar is present on the server and if the Authentication method has been setup correctly.
If you see these entries, they will tell what is going wrong.

UserPassword correctly added:
BADEBUG – PwLookupLogin v1.00
BADEBUG – UserName = CN=duvel, O=users
BADEBUG – Replica = 0
BADEBUG – ReplicaCount = 2
BADEBUG – BindURL = ldaps://10.0.0.10:636/
BADEBUG – BindUser = cn=AccManAccount,o=services
BADEBUG – BindPassword = ******
BADEBUG – ConnectLdap = OK
BADEBUG – UserPassword = *********
BADEBUG – UserPassword added to LDAPCredentials
BADEBUG – PwLookupLogin Success

In the next example the system is trying to connect to 3 replicas, the first replica is a clear text replica (not allowed), the second replica is an invalid ldap server, the third replica is successful.

BADEBUG – PwLookupLogin v1.00
BADEBUG – UserName = CN=duvel, O=users
BADEBUG – Replica = 0
BADEBUG – ReplicaCount = 5
BADEBUG – BindURL = ldap://10.0.0.11:389/
BADEBUG – BindUser = cn=AccManAccount,o=services
BADEBUG – BindPassword = ******
BADEBUG – ConnectLdap = javax.naming.CommunicationException: simple bind failed: 149.44.38.252:389 [Root exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?]
BADEBUG – Replica = 1
BADEBUG – ReplicaCount = 5
BADEBUG – BindURL = ldaps://10.0.0.10:636/
BADEBUG – BindUser = cn=AccManAccount,o=services
BADEBUG – BindPassword = ******
BADEBUG – ConnectLdap = javax.naming.CommunicationException: 149.44.38.254:636 [Root exception is java.net.NoRouteToHostException: No route to host]
BADEBUG – Replica = 2
BADEBUG – ReplicaCount = 5
BADEBUG – BindURL = ldaps://10.0.0.10:636/
BADEBUG – BindUser = cn=AccManAccount,o=services
BADEBUG – BindPassword = ******
BADEBUG – ConnectLdap = OK
BADEBUG – UserPassword = ******
BADEBUG – UserPassword added to LDAPCredentials
BADEBUG – PwLookupLogin Success

There is no Authentication method preceding the PwLookupLogin method:

BADEBUG – PwLookupLogin v1.00
BADEBUG – No Authenticated User Found
BADEBUG – PwLookupLogin Failed

Couldn’t retrieve the Universal Password, check user store configuration:

BADEBUG – PwLookupLogin v1.00
BADEBUG – UserName = cn=duvel,o=users
BADEBUG – Replica = 0
BADEBUG – ReplicaCount = 1
BADEBUG – BindURL = ldaps://149.44.38.78:636/
BADEBUG – BindUser = cn=AccManAccount,o=services
BADEBUG – BindPassword = *********
BADEBUG – ConnectLdap = OK
BADEBUG – Get Universal Password Error = com.novell.security.nmas.mgmt.NMASPwdException
BADEBUG – UserPassword =
BADEBUG – PwLookupLogin Failed

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

26 Comments

  1. By:barragae

    This will make federation actually very useful when partners can’t send password in SAML

    • By:BAndries

      Currently this extension will only work in combination with local authentication classes. I need to do some additional work to make it work with authentication provided by external parties. I haven’t decided yet if I’ll update this extension or if I’ll create a dedicated extension to support SAML.

      • By:eddychiu

        We have a solution to make use of SAML 2.0 as account federation.
        One of the service providers requires form fill action with account and password so as to sign on an application.
        With the current setting, a user has been authenticated to access remote service providers with his own local account.
        The problem is, the system fails to help the user to form fill the password of the associated account.
        I think this is a similar case of this topic since the user has not actually typed in the password to sign on which can’t be found in the cache.
        My question is whether this situation has been addressed in any NAM extension?
        Thank you!

      • By:barragae

        Hello,

        I’m glad to see external auth support has been added, can some content be added to this article describing how that is setup? Since it’s not part of a local auth contract, is it instead configured under the authentication section for SAML where you could select an auth context by contract? or is it something different altogether.

        Thank You!

  2. By:barragae

    I guess I miss understood the details, I thought this would work if you came in via SAML, do you have an idea if you are going to customize the class for use with SAML?

    Thanks

  3. By:anonymous

    Hi

    Thanx I got this working.
    Does anyone know if this option is supported by Novell?

    R

  4. By:damm

    Hi

    You mentioned that the user store from the first authentication method must be eDir, does that mean it won’t work if first method in the list is Kerberos and it is configured against AD server?

    Thanks

    • By:anonymous

      Hi,

      Did you receive any answer to your question about Kerberos ?
      I have the same problem.

      I usually use ‘shared secrets’ for Kerberos SSO, but this auth method
      would be easier to maintain.

      Thanks,

      Vincent MAZARD

      • By:6498166

        Hi, I’ve the same problem. Any news from Bart Andries. You write that usually use shared secrets for Kerberos SSO. Wich Shared Secret? The Local or a remote on external eDir User Store? If is the second, how you configure the FF?

        Thanks!

        Maurizio

      • By:jimgoodall

        Hi,

        I can’t get this working! I followed the instructions but get:

        2009-01-21T13:35:38Z WARNING NIDS Application: AM#300105005: AMDEVICEID#AD7FC6703348B2A0: Failed to load/execute authentication class PwLookupLogin. Error: com.novell.ba.idpauth.PWLookupLogin

        in the catalina.out

        any help would be greatly appreciated!

        Thanks

        Jim

      • By:jimgoodall

        This does work! I spotted my own error in the previous message, the entry for the java class is PwLookupLogin not PWLookupLogin as I had typed!

        Regards

        Jim

  5. By:jaredljennings

    Would the author be interested in providing or e-mailing the source code? I would be interested in seeing it to learn from and maybe extend.

    • By:vmazard

      I decompiled th class without problem with DJ java decompiler.
      The source is quite simple.

      But if I may add a comment :
      This approach only works the first time the user authenticates to the Identity server.
      On this one and only case, the Kerberos class passes the nidpprincipal to the extension class.
      But on further requests, the kerberos class doesn’t pass anything to the extension class.
      As a result, the extension class exits with an error ‘no user authenticated’ or something like this.

      In my opinion, the only way to make this work is to decompile the Kerberos class (or whatever class you use in the auth process) and add the extension class code inside.
      Unfortunately, the Kerberos class doesn’t decompile properly, and I believe that only Novell has enough knowledge to solve this problem. Something they don’t seem willing to do…

      Money rules the world..

      Good luck,
      Vincent

      • By:jaredljennings

        Humbug, Very cool decompiler. I wasn’t aware of that utility.

        What I was hoping to accomplish, was to be able to send the password back to the Credential store because the password changed. Humbug.

        yeah, money talks.

  6. By:jessesmith

    Yes! It works in 31. Just make sure you check the “Identifies User” on both methods used (including the method using this custom class).

  7. By:tzgq91

    Hi

    I am trying to configure SSO for MS AD using this solution but am getting the following error. Can anyone help please

    BADEBUG – PwLookupLogin v1.00
    BADEBUG – UserName = CN=xyz,OU=abc,DC=qwerty,DC=LOCAL
    BADEBUG – Replica = 0
    BADEBUG – ReplicaCount = 2
    BADEBUG – BindURL = ldap://192.168.1.162:389/
    BADEBUG – BindUser = cn=auadlam02v,ou=Service Accounts,dc=qwerty,dc=local
    BADEBUG – BindPassword = ******
    BADEBUG – ConnectLdap = javax.naming.CommunicationException: simple bind failed: 192.168.1.162:389 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
    BADEBUG – Replica = 1
    BADEBUG – ReplicaCount = 2
    BADEBUG – BindURL = ldaps://192.168.1.7:636/
    BADEBUG – BindUser = cn=auadlam02v,ou=Service Accounts,dc=qwerty,dc=local
    BADEBUG – BindPassword = ******
    BADEBUG – ConnectLdap = OK
    BADEBUG – Get Universal Password Error = com.novell.security.nmas.mgmt.NMASPwdException: javax.naming.CommunicationException: [LDAP: error code 2 - 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece]; remaining name ”
    BADEBUG – UserPassword =
    auadlam02v:~ #

    Regards
    Steve

    • By:jessesmith

      Just to verify, your replica is an eDirectory corrent?

    • By:vmazard

      It looks like you try to obtain the user’s password from an LDAP server that doesn’t allow the extension needed.

      This probably means that your ldap server is not an eDirectory.
      (I would say Active DIrectory)
      For this extension to work, the LDAP server queried for the password MUST be an eDirectory as the extension used is some NMAS stuff.

      What you should do is :

      Authenticate users on the Active Directory
      get the user’s DN
      With it, find the corresponding user in your eDirectory
      then, get this user’s password in the eDirectory.
      Conclusion : you will need to decompile the class and modify it to suit your needs.

      Just a remark : Altough it used to work (in some cases) in NAM V3.0.4, I couldn’t make it work with NAM 3.1. Maybe a JRE issue.
      Personnaliy, I gave up this solution that doesn’t work in most cases.

      Regards,

      Vincent

      • By:tzgq91

        Thank’s for your response.

        The LDAP server is Active Directory DC, I do not have eDirectory installed. I was under the impression that this extension would retrieve the password via LDAP from the user store (in my case AD)

  8. By:fsjovatsen

    PWlookuplogin can’t find the user in pwlookup user store. This is not correct. The user is in the store. If I search for the user using ldapsearch it finds the user. If I use a form contract the user is found and is auth’ed. Anyone knows why this happens?

    BADEBUG – PwLookupLogin2 v3.1.1
    BADEBUG – *** Looking for Authenticated User ***
    BADEBUG – Found Contract Authenticated User: CN=FSjovatsen,ou=ansatt,ou=personer,dc=domain,dc=com
    BADEBUG – *** Connecting to PwLookup User Store ***
    BADEBUG – PwLookup User Store = IDV
    BADEBUG – ReplicaCount = 2
    BADEBUG – Try Replica 0 (ldaps://10.10.10.108:636/)
    BADEBUG – ConnectLdap = OK
    BADEBUG – *** Find User in PwLookup User Store ***
    BADEBUG – Search Pw User Store for attribute CN with value FSjovatsen
    BADEBUG – Search Pw User Store context ou=ansatt,ou=personer,o=idv
    BADEBUG – Search Pw User Store context ou=elev,ou=personer,o=idv
    BADEBUG – No matching User found in the Pw User Store
    BADEBUG – PwLookupLogin Failed

  9. By:rnieuwen

    Bart,

    Great article.
    Thanks for this cool solution

  10. By:kaiung

    I have got kerberos working. And the eDir store works with the same user on the secure/password form. But when I try to use the PwLookupLogin class with kerberos i get this error:

    >>> KrbApReq: authenticate succeed.
    Krb5Context setting peerSeqNumber to: 1954502415
    >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
    Krb5Context setting mySeqNumber to: 818616528
    BADEBUG – PwLookupLogin2 v3.1.1
    BADEBUG – *** Looking for Authenticated User ***
    BADEBUG – Found Contract Authenticated User: CN=donald,OU=ITUsers,OU=XYZ,dc=ad,dc=XYZ-CO,dc=com
    BADEBUG – *** Connecting to PwLookup User Store ***
    BADEBUG – PwLookup User Store = XYZ-EDIR
    BADEBUG – ReplicaCount = 1
    BADEBUG – Try Replica 0 (ldaps://10.1.1.2:636/)
    BADEBUG – ConnectLdap = OK
    BADEBUG – *** Find User in PwLookup User Store ***
    BADEBUG – Search Pw User Store for attribute CN with value donald
    BADEBUG – Search Pw User Store context ou=ITUsers,o=XYZ
    Ignoring invalid XML character:
    BADEBUG – Search Pw User Store context ou=groups,o=XYZ
    Ignoring invalid XML character:
    BADEBUG – No matching User found in the Pw User Store
    BADEBUG – PwLookupLogin Skipped

    Running on Identity Server 3.1.2.281 on Windows 2008R2 64 bit server.

    Any ideas ?

  11. By:classedl

    It appears that the nidp.jar file has been restructured in SP3. Classes that are imported in the pwlookuplogin class cannot be located in SP3. Based on a little research, it appears the JNDI classes have been moved to the NAMCommon.jar file. Does anyone have a workaround to get the pwlookuplogin class working with SP3?

Comment