Introduction
Many applications, especially those that are internet facing, choose to use form fill authentication. This means they display username and password fields on the web page for the user to manually enter their sign-in credentials. Each application is different and while the majority of applications can be configured automatically, some applications require manual configuration. This guide describes how Cloud Access Manager implements its form fill functionality so that you can configure applications manually.
For complete examples of how to configure form fill authentication applications in Cloud Access Manager, please refer to the section entitled Form Fill Authentication in the One Identity Cloud Access Manager Configuration Guide.
Topics:
Background
To successfully Single Sign-on (SSO) a user into a web site using Cloud Access Manager form fill functionality, some details about the site’s login page must be collected and added to the application’s configuration in Cloud Access Manager. This guide describes the elements that are required to log in to a site and what Cloud Access Manager needs to know about the application to successfully automate the process for you.
Form fill field values
Cloud Access Manager asks the user to identify the fields on the login page, typically by their HTML ID or name. The Username Field ID/Name and Password Field ID/Name are required fields, the others are optional. However, many applications require the user to click a Sign In/Log In button, which means that the Submit Button ID/Name/Value is often required.
- The Optional Field ID/Name is used to capture and fill an additional field on the login page, such as the user’s domain.
-
The Static Field ID/Name and Static Field Value boxes are used when all users are required to enter the same value into an additional field on the login page. For example, the instance name of the application.
NOTE: If the application displays the password field on a separate page to the username field, check the The password field is located on a separate page box. You can then manually enter the field identifiers for the password field and submit button.
The easiest way to obtain the correct Field ID and Name from a web page is to use the browser’s built-in developer tools — Internet Explorer, Google Chrome browser and Mozilla Firefox all have this feature. This allows you to click each field in turn and locate its ID and/or name:
Form fill URLs
This section describes how to define the URLs used by the application’s login page.
Most applications have a login page that can be easily identified within the path portion of the URL, for example:
http://192.168.121.18/mantis/login_page.php?return=my_view_page.php&error=1
In this situation, Cloud Access Manager can locate the login page without taking into account the parameters within the query string, which are likely to differ from user to user and so the query string information selection box can be clear:
Some applications use URLs where only the query string portion of the URL changes when navigating between pages. For example, pages in an Oracle application may only differ by a function ID in the query string. The home page might have the ID of 150, for example https://server/OA_HTML/RF.jsp?functionId=150 and the login page an ID of 200, for example https://server/OA_HTML/RF.jsp?functionId=200
To configure this type of application, select the box labelled Information in the query string is required to identify the login page of the application. Cloud Access Manager will then allow you to select the query string parameter that identifies the login page, such as the functionId=200 parameter used in the previous Oracle example.
If an application uses multiple query string parameters, select only the parameters that identify the login page. For example, some applications use additional parameters to store information unique to a particular user or access attempt, such as a session identifier. You should not select these parameters as they would prevent the login page from being detected for all users/requests.
|
|
NOTE: Elements within the login path of an application are case sensitive and must be entered into Cloud Access Manager exactly as they appear in the URL bar in your web browser. |
Some applications place a session ID on the end of the PATH to track a user’s session called a JSESSIONID. For example:
http://host/page.htm;jsessionid=<value>?query
When this happens, it can prevent Cloud Access Manager from matching the URL of the form as the value is different for every session. For these applications make sure that the JSESSIONID value is not appended to the URL. If you want Cloud Access Manager to verify that a JSESSIONID value is present, but not what the value is, you can just strip the value as shown below.
|
|
NOTE: If the password field is located on a separate page, you will need to manually specify the URL of the password page. Cloud Access Manager requires the application to use a different URL for the password page to that of the login page containing the username field. |
|
|
NOTE: If you are configuring an application that contains more than one </head> tag in its form fill URL (for example, because it launches a pop-up via JavaScript), it is possible that Cloud Access Manager could inject the form fill JavaScript at the wrong point in the page. This may prevent form fill authentication and rendering of the application from functioning as expected. To avoid this issue, ensure that any extra </head> tags in the page are positioned after the closing tag for the page’s actual head. |