UAG Form Login SSO - Lessons from field
This is next part of my UAG authentication presentation blogpost, where I am going to discuss about the form login authentication. I am a big fan of Ben Ari and usually follow his suggestions provided in his blog post for form login SSO
https://blogs.technet.com/b/ben/archive/2010/09/02/uag-custom-form-login.aspx
Usually it’s not possible to cover everything in single blog post. In this blog post I’m adding to the suggestions provided by my friend Ben in his blog using Troubleshooting approach I took on a case.
I was working on a case, where customer has changed his logon form page on his website, after that Single Sign On through UAG stopped working. After login to the portal ,when user tries to open the application, he was getting the logon form, instead of the application. I did view source of the page and found that autosubmit script was not getting injected into the logon page.
Troubleshooting Approach
1. URL of the logon page, I asked Admin to open IE on the UAG server itself, then access the websites logon page and from there I got the URL of the logon page.
2. The Form ,After the page was opened in the browser, I viewed the source of the page and copied the whole HTML. I will put my sample form page from my lab (not actual problem logon page) for reference here.
*********************************************************************************
<html>
<head>
</head>
<body>
<form ID="contosoform" action="login.html" method="post">
Username <input name="contoso_username" type="text" value="" />
Password <input name="contoso_password" type="password" />
<input name="contosologin" type="submit" value="Log In"/>
</form>
</body>
</html>
*********************************************************************************
3. After looking at the form, I noticed that the name of the form had changed, it was fabrikam-form earlier and now it was contosoform, so in the formlogin.xml file, I changed the name of the form, which is highlighted in the form login section
for that application below
*******************formlogin.xml for the application****************
<APPLICATION>
<APPLICATION_TYPE> contosotest</APPLICATION_TYPE>
<USAGE description="form_login">
<PRIMARY_HOST_URL>.*</PRIMARY_HOST_URL>
<SECONDARY_HOST_URL>.*</SECONDARY_HOST_URL>
<SCRIPT_NAME source="data_definition">FormLoginSubmitStandard</SCRIPT_NAME>
<USER_AGENT>
<AGENT_TYPE search="group">all_supported</AGENT_TYPE>
<POLICY>multiplatform</POLICY>
<SCRIPT_NAME source="data_definition">FormLoginHandler</SCRIPT_NAME>
</USER_AGENT>
<MULTIPLE_LOGIN>true</MULTIPLE_LOGIN>
<LOGIN_FORM>
<NAME> contosoform</NAME>
<METHOD>POST</METHOD>
<CONTROL handling="dummy_value">
<TYPE>USER_NAME</TYPE>
<NAME>contoso_username</NAME>
<DEF_VALUE>uname</DEF_VALUE>
</CONTROL>
<CONTROL handling="dummy_value">
<TYPE>PASSWORD</TYPE>
<NAME>contoso_password</NAME>
<DEF_VALUE>pwd</DEF_VALUE>
</CONTROL>
</LOGIN_FORM>
</USAGE>
</APPLICATION>
****************************************************************
4. After modifying the formlogin.xml at (C:\Program Files\Microsoft Forefront Unified AccessGateway\von\Conf\WizardDefaults\FormLogin\CustomUpdate\FormLogin.xml) on the UAG server and activating the configuration, we tested SSO and it was still not working.
5. Data analysis : Took UAG trace while doing Repro of the issue and found following in the tracing
*************************************************************
Entering CProcessForm::PreProcessInputData CProcessForm::PreProcessTag(), Start
Exiting from CProcessForm::PreProcessInputData CProcessForm::PreProcessTag(), End
Exiting from CProcessForm::PreProcessInputData PreProcessInputData()::End
Info:INFO: ProcessBufferFromRWS():(wfeID=000000000570EAB0) Required form Name/ID not found but should be : not a formlogin - not processing
*************************************************************
6. Then I noticed that not just the name of the form has changed but the tag to name the form, has also changed in the new logon page i.e. earlier they were using Name=”contosoform” and now they are using ID="contosoform" i.e they had Name to identify form earlier now they were using ID.
<form ID="contosoform" action="login.html" method="post">
7. When I compared that with the formlogin.xml for this application , the part which deals with it i.e.
<NAME> contosoform </NAME>
And I could clearly see that XML tags do not match the tags of the logon form as in XML we have <NAME></NAME> tags and in the form we have “ID” to identify the form. So I modified this tag to
<ID> contosoform </ID>
in the formlogin.xml .After making this change in formlogin.xml, Activated the UAG config and tested, then we got a message on the client screen, saying that we have more than one form. I once again did view source of the page and found that autosubmit script was getting injected. I searched the form tags and found that there were two forms on the logon page.
8. Default Autosubmit script which is :
**********************************************
function FormLoginSubmit()
{
formsCol = document.forms;
if (formsCol.length == 1)
{
document.forms[0].submit();
}
else
{
alert("more than one form");
}
return false;
}
**********************************************
We can see that, this script checks that, if there is only one form in the logon page, if yes then submit that form else send an alert message “more than one form”.
9. If we have more than one form on the logon page, then we need to use custom script and modify the form login.xml as well, to mention this custom script. I have an amazing friend called Stanley George who had this custom script ready and tested. He gave me this script
***********************************************
function FormLoginSubmit()
{
document.getElementById('login-form').submit();
return false;
}
***********************************************
I put this script file at location (C:\Program Files\Microsoft Forefront Unified Access Gateway\von\Conf\Websites\<trunkname>\conf\Autosubmit_contoso.js) on all the nodes of the UAG array. When we use custom script, we also need to modify the formlogin.xml for that application, under the following section
<SCRIPT_NAME source="file"> Autosubmit_contoso.js </SCRIPT_NAME>
10. After this change in formlogin.xml, I activated the UAG configuration and tested again and Now SSO was working fine.
11. I also made my final formlogin.xml to be little more specific with the URL , after all the changes the working formlogin.xml will look like this.
*************************************************************************
<APPLICATION>
<APPLICATION_TYPE>Contosotest</APPLICATION_TYPE>
<USAGE description="form_login">
<PRIMARY_HOST_URL>.*login\.html.*</PRIMARY_HOST_URL>
<SECONDARY_HOST_URL>.*login\.html.*</SECONDARY_HOST_URL>
<SCRIPT_NAME source="file">Autosubmit_contoso.js</SCRIPT_NAME>
<USER_AGENT>
<AGENT_TYPE search="group">all_supported</AGENT_TYPE>
<POLICY>multiplatform</POLICY>
<SCRIPT_NAME source="data_definition">FormLoginHandler</SCRIPT_NAME>
</USER_AGENT>
<MULTIPLE_LOGIN>true</MULTIPLE_LOGIN>
<LOGIN_FORM>
<ID>contosoform</ID>
<METHOD>POST</METHOD>
<CONTROL handling="dummy_value">
<TYPE>USER_NAME</TYPE>
<NAME>contoso_username</NAME>
<DEF_VALUE>uname</DEF_VALUE>
</CONTROL>
<CONTROL handling="dummy_value">
<TYPE>PASSWORD</TYPE>
<NAME>contoso_password</NAME>
<DEF_VALUE>pwd</DEF_VALUE>
</CONTROL>
</LOGIN_FORM>
</USAGE>
</APPLICATION>
*************************************************************************
Note: When you test form login SSO or APPwrap, Please clear the browser cache before testing the changes as browser caches the html content and at times even after making the change in the fomlogin or in the script you may not see the results or change in the results.
I am preparing a presentation on this topic as part 2 of my previous UAG authentication presentation, This presentation will further simplify what Ben has explained in his post and would add up my experiences in it.