Cloud Access Manager 8.1.4 - Security and Best Practice Guide

Proxied form-fill

Some web applications do not accept HTTP basic or NT LAN Manager (NTLM) authentication, and instead prompt for your credentials by presenting a login form, this is known as forms-based authentication. Forms-based authentication is a common method of authenticating users for both public software as a service (SaaS) and on-premise web applications.

The Cloud Access Manager proxy can automatically insert JavaScript which detects a username and password entered into a login form, and can save that information in your Cloud Access Manager password wallet over a secure channel. Then, once your credentials have been saved and the application is launched again, Cloud Access Manager can detect the username and password fields on an application login form, automatically insert your credentials into the correct fields, and submit the form.

NOTE: This technique is appropriate for applications which do not accept HTTP basic, NTLM, SAML or WS-Federation.

Unproxied form-fill

For certain applications where credentials are captured using a login form, you can configure Cloud Access Manager to automate sign on to the application without the need to proxy it. In this case Cloud Access Manager sends a login request directly to the application with your username and password inserted.

The advantages of this compared to proxied form-fill are:

  • Responsiveness of application, as latency is reduced without an intermediate proxy
  • Reduced IT costs, with a reduced load on the proxy
  • Reliability is increased, as complications caused by URL rewrite are avoided.

The potential disadvantages are:

  • No support for capturing credentials as you must enter your credentials into the Cloud Access Manager Password Wallet
  • No support for change password forms, the old password field will not be prefilled with your current password, and any new passwords will not be captured
  • Does not work with applications which send a pre-authentication cookie to the browser.

Using a reverse proxy or load balancer with Cloud Access Manager

If you use a reverse proxy server or load balancer in front of Cloud Access Manager, you must ensure that all headers required by Cloud Access Manager are maintained at all times. Cloud Access Manager injects JavaScript into app pages to manage session idle timeout and at the same time sets no cache headers on the response. It is essential to maintain the no cache headers at all times for Cloud Access Manager to function as designed. Removing or changing the no cache headers may cause session management issues, for example, when a user uses the Back button on their browser.

Security

Topics:
Related Documents