This article describes how to configure NetScaler Gateway for Single Sign-On to a Web Form. Products such as Microsoft OWA, often offer a login page using a Web form.

On earlier versions of NetScaler Gateway single sign-on was not possible and users had to manually log in. The only other option was to configure the server for Basic/NTLM authentication. With the release of NetScaler Gateway 9.2, a new traffic policy can be configured to provide single sign-on to Web based applications.

The following example configuration can be used for Microsoft OWA 2003 and 2007.

Instructions

You can configure Single Sign-On to a Web Form through CLI and GUI by completing the following procedure:

Configuration Using CLI

add vpn formSSOAction owa2k3act -actionURL "/exchweb/bin/auth/owaauth.dll" -userField username -passwdField password -ssoSuccessRule "http.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -responsesize 15000
add vpn trafficAction owa2k3trafficact http -SSO ON -formSSOAction owa2k3act
add vpn trafficPolicy owa2k3policy "URL CONTAINS auth/owalogon.asp" owa2k3trafficact
bind vpn vserver<vserver name> -policy owa2k3policy

Configuration Using GUI

1. In the Configuration tab, navigate to NetScaler Gateway > Policies > Traffic.

2. Click Form SSO Profiles tab and click Add to configure Form SSO Profile.
   Update the following fields and click OK:
   Name: Unique name of the Form SSO Profile.
   Action URL *: /exchweb/bin/auth/owaauth.dll
   User Name Field: username
   Password Field: password
   Expression: http.RES.SET_COOKIE.COOKIE("cadata").VALUE("cadata").LENGTH.GT(70)
   Response Size: 15000
   Extraction*: Dynamic

   

3. Click Form SSO Profiles tab and click Add to add traffic profile.
   Update the following fields and click OK:
   Name: owa2k3trafficact
   Protocol: HTTP
   Single Sign-on: ON
   Form SSO Profile: owa2k3act

   

4. Click Traffic Policies tab and click Add to create Traffic Policy.
   Update the following fields and click OK:
   Name: owa2k3policy
   Request Profile* owa2k3trafficact
   Expression*: URL CONTAINS auth/owalogon.asp

   

5. Navigate to NetScaler Gateway > Virtual Server > highlight the virtual server and click Edit to bind the policy to a NetScaler Gateway virtual server.
   Update the following fields and click Bind:
   In the Policies field, click on the symbol > in the Traffic Policy section.
   Click Adding Binding
   In the Select Policy* field, click on the symbol >.
   Click the policy “owa2k3policy” and click Select.

   

6. The policy will appear under the VPN Virtual Server Traffic Binding. Click Close.

   

The extraction method on this configuration was set as Dynamic. If it was configured as Static, whatever is configured in the namevaluepair is posted by NetScaler Gateway.

If it is set to Dynamic, NetScaler Gateway parses the response and extracts the form, autofills it and submits to the URL configured in the action URL part.

NetScaler Gateway parses the response up to the size configured (response size parameter) to extract the forms. After parsing the response, NetScaler Gateway picks the form that matches the actionurl configured and has the fields username and password as per the configuration. By using the ssosuccessrule, Access Gateway decides whether Single Sign-on (SSO) succeeded or not. If it fails, it replays the original URL to the server and sends the response to the client. The client then submits the credentials.

For Microsoft OWA 2003 and 2007, the response to success or failure cases looks the same. The only difference noticed is the length of the cadata cookie. Therefore, the successrule was created based on the length of the value of the cadata cookie.

Be aware that different products have different responses and because of that the response policy configured must be adjusted. The form value for user name and password also must be adjusted on a per-product basis.