How to Configure Automatic Login to Web Portals

You can create services that manage access to web portals. You can set up manual login or automatic login. This topic describes how to set up automatic login to web portals.
capam32
You can create services that manage access to web portals. You can set up manual login or automatic login. This topic describes how to set up automatic login to web portals.
2
The following methods are available to log a user into a target web portal automatically:
  • CA PAM
    HTML Web SSO:
     Use this option when the login method that the web portal employs is HTML-based. This method is the most common. 
    As a web page is loaded into the
    CA PAM
     Browser, a JavaScript injection provides credentials to the web page HTML, then executes the login. This method requires that the administrator "teach"
    CA PAM
     which login page widgets to use. Some widgets capture the username and the password while another widget acts as the login trigger. Examples of web portals that use this method include Dropbox and Google.
  • CA PAM
     HTTP Web SSO:
     Use this option when the login method that the web portal employs is the HTTP protocol. 
    In this case,
    CA PAM
     encodes login credentials and inserts them into a header. The header is appended onto each HTTP or HTTPS request. Examples of web portals that use this method include Microsoft SharePoint installations.
  • Built-in Auto-Login Methods:
     Built-in methods are also available. These built-in methods allow automatic login-in with the following specific web portals:
Configure a TCP/UDP Auto-Login Service
Create a TCP/UDP auto-login service that is associated with the web portal.
Follow these steps
:
  1. Navigate to
    Services
    ,
    Manage TCP/UDP Services
    .
  2. Select 
    Add
    to create a TCP/UDP service.
  3. For 
    Service Name
    , specify a unique name that identifies the service, such as the name of the associated web portal. 
  4. For 
    Local IP
    , specify an
    unused
    local IPv4 address for this service. The local IP address is replaced by the address of the target device when the service is launched.
  5. For
    Ports
    , define the ports or port range that the client application opens to gain access to the device. Example: 8000
  6. For
    Application Protocol
    , select Web Portal.
    More options appear on the right side of the page.
  7. For
    Auto-Login
    Method
    , select the appropriate method, as described previously:
    • CA PAM
      HTML Web SSO 
      is best suited to websites that have user name and password entry fields. This method requires administrator configuration using the Learn Tool. 
    • CA PAM
      HTTP Web SSO
       is best suited to websites that receive user names and passwords programmatically, such as through Windows Authentication. This method does not require using the Learn Tool. 
    • SAML2.0 SSO POST 
      requires information about the web portal SAML attributes. See Set Up SAML 2.0 SSO POST for Auto-Login for more information.  
  8. For 
    Launch URL
    , follow the example URL. To access the URL 
    https://www.forwardinc.com/login.html
    , replace the target login address (
    www.forwardinc.com
    ) with the target template
    <Local IP>:<First Port>
    . The resulting entry is: 
    https://<Local IP>:<First Port>/login.html
  9. For
    Browser Type
    , select CA PAM Browser to enable session recording. 
  10. For
    Access List
    , enter
    *
     (an asterisk) as a wildcard. 
  11. Select 
    OK
    to save the service. 
Assign the Auto-Login Service to a Device
Add the newly created service to the device hosting the web portal. The device is then available for a policy. See Device Setup for more information about configuring a device.
Follow these steps:
  1. Select
    Devices, Manage Devices
    .
  2. Add the target device hosting the web portal.
  3. Select the
    Services
    tab then select the new TCP/UDP service that you defined.
  4. Select 
    OK
    .
Create a Target Application, Target Account, and Policy
Configure a target application and account for the web portal. Completing these tasks enables the storage of credentials. The policy ties the users and the device together to access the web portal automatically.
Follow these steps:
  1. Select
    Credentials, Manage Targets, Applications
    .
  2. Select
    Add
    , then complete the following fields:
    • Host Name:
       Use the magnifying glass
      Select
      icon to find and select the host name of the device hosting the web portal. 
      Device Name
       is automatically populated.
    • Application Name:
      Enter a descriptive application name. 
    • Application Type:
      Accept the default, Generic.
  3. Select 
    OK
    to save the target application.
  4. Select
    Credentials, Manage Targets, Accounts
    .
  5. Select 
    Add
    , then complete the following fields:
    • Application Name:
       Use the magnifying glass 
      Select
       icon to find and select the application.
      Host Name
      is automatically filled.
    • Account Name:
      Enter the name of the account (user name) for logging in to the web portal. For example: 
      admin
      .
    • Password:
       Enter the password for the account.
  6. Select
    OK
    to save the target account.
  7. Select
    Policies, Manage Policies
    .
  8. Select
    Add
    and set up a policy that associates an existing user or group to the device that hosts the automated login service. 
  9. On the 
    Services
     tab, select the Service that you created.
  10. In the Target Account column, use the Edit magnifying glass icon to select the Account. 
  11. Select 
    OK
    .
If your target website uses the
CA PAM
HTML Web SSO method, you must configure a "learn" procedure to activate the portal for end users.
Set up a Learn Procedure for
CA PAM
HTML Web SSO
For target websites that use the
CA PAM
HTML Web SSO method, perform a "learn" procedure to activate the portal for end users. An HTML auto-connection portal requires that the HTML field and button widgets be identified. These settings capture a login username and password and activate the browser to submit the username and password for login processing.
Follow these steps to set up the Learn procedure:
  1. Log in to the
    CA PAM
    UI.
  2. Go to the 
    Access
    page. A Web Portal drop-down is now available with two services for this device, for example, 
    MyApp (LEARN)
     and 
    MyApp
    .
    • The
      Learn
      option shows a red
      X
      to its left. The administrator uses the Learn option to contact the login address and teach the service to recognize the target widgets. After the setup is successful, the red
      X
       changes to a green checkmark. The checkmark indicates that access to the web portal is activated and is ready to use.
    • The
      Login
      option is for the actual login entry. The administrator must successfully apply the learn mode
      first
      for the login service to function.
  3. Select the
    Learn
    option.
    The learn tool launches the target web portal page, but you cannot log in. The window name in the browser title bar is prefaced with "Learn mode for Web SSO."
  4. For the service to use widgets for auto-login, teach the service where the widgets are located:
    1. Right-click In the
      User Name
      (or other name identifier) field to open the learning menu.
    2. Select
      Mark Accountname Field
      .
      The field is populated with the placeholder field "
      accountname
      ."
    3. Right-click in the
      Password
      field and select
      Mark Password Field
      .
      The field is populated with an obfuscated password.
    4. Hover over the button to log in then right-click to select
      Mark Submit Button
      .
    5. For any other required widgets for your portal, perform the required action for each widget. (There is no right-click menu item to select, and there is no feedback, but all action is recorded.)
    For example, to teach the service to learn the interface to another site, target the portal that requires LDAP authentication. In addition to teaching the service
     
    about the three widgets, select "LDAP" for the 
    Authentication Type
    setting. Also, select the appropriate configured domain from the list. All these actions are preserved for auto-connection when you save them.
  5. In the upper-right corner of the browser window, select the Save
    auto-login template
    disk icon. 
    The configuration is saved and the browser window closes.
  6. Repeat the learning process at any time to save new results.
  7. Return to the
    Access
    page. The learning option now has the green checkmark, indicating that the Learn option is complete.
When an end-user logs in to the UI, the 
Access
page now has a single access link without the learn-mode option. The user selects that link and gets auto-logged on to the target web portal.
Set Up SAML 2.0 SSO POST for Auto-Login
You can set up automatic login to third-party web portals that support SAML SSO, such as Google.com. To configure many of the SAML SSO information fields and attributes for the Web Portal, you must refer to the third-party SAML provider instructions. Ideally, you want to import SAML 2.0 SP metadata from the provider as XML. See How to Configure the Product as an Identity Provider (IdP) for detailed information about setting up SAML authentication, including examples for AWS and Google applications.
See Configure a TCP/UDP Auto-Login Service for instruction on configuring the
Basic Info
tab of a TCP/UDP Service. When you select SAML 2.0 SSO POST as the
Auto-Login Method
, two tabs become active. 
  1. On the 
    Basic Info
     tab, use the Web Portal
    Entity ID
    as the 
    Service Name
    . This value is often a domain name. 
  2. For the 
    Auto Login Method
    , select SAML 2.0 SSO POST.
    The SAML SSO Info and SAML SSO Attributes tabs become active.
  3. In the
    Launch URL 
    field, enter the Assertion Consumer Service (ACS) URL of the RP.  The ACS URL is a combination of the
    CA PAM
    web portal URL root and the ACS URL. For example, the web portal URL root is: "https://local_ipfirst_port". The ACS URL is: 
    https://capamAsSp.example.com/samlsp/module.php/saml/sp/saml2-acs.php/capam-default-sp
    Resulting Launch URL is:
    https://111.12.123.21:239/samlsp/module.php/saml/sp/saml2-acs.php/capam-default-sp
  4. Leave the
    Route Through
    CA PAM
    checkbox selected. This option directs all traffic through
    CA PAM
    . When this option is not selected, traffic goes directly to the web service from the client workstation.
  5. On the
    SAML SSO Info
    tab, enter the following information from the third-party RP:
    • SAML Entity ID: 
      This ID is typically a domain name.
    • Initiating Party:
      Select which partner initiates the call.
      • SP Initiated
        (default)
        :
        If the user logs in to the SP/RP first, an authentication request is sent to the IdP to obtain the assertion. The returned assertion allows the SP to make a service access decision. (SAML 2.0 only) 
      • IdP Initiated
        – The user logs in to the IdP to initiate connection and to obtain the assertion for a service at an SP.
    • Require Signed Authn Requests:
      This checkbox is selected by default. The SP must sign the authentication request that it sends to the IdP. To verify the signature, specify the supplied PEM signing certificate, gkcert.crt.
       
      in the PEM Signing Certificate field.
    • Encryption:
      By default, encryption is not enabled.
       
      Select whether
      CA PAM
      encrypts, the Name ID or the Assertion
      then paste the base64 translation of X.509 certificate encryption certificate in the
      PEM Encryption Certificate
      field. Example: 
      <ds:X509Data> <ds:X509Certificate>
      encodedContent
      </ds:X509Certificate> 
  6. On the
    SAML SSO Attributes
    tab, select the appropriate
    SAML SSO Subject Name Identifier Formats
     for your web portal. If your provider requires an attribute that is not listed, provide the attribute in the 
    Add a new SAML SSO 
    Attribute
    section. Complete the fields for each entry. 
    • Name: Specify the attribute name.
    • Friendly Name: assign a name or tag for use by the appliance. If the imported SP metadata does not provide the friendly name, the entry for the Name field is used.
    • Required: Select if the SP requires this attribute.
      You might have to add a SAML mapping on the 
      SAML 
      tab of the Policy configuration.  
  7. Select
    OK
    .
  8. Follow the instructions in Assign the Auto-Login Service to a Device.
Automatic Login to vSphere Web Client 6.0 Configuration
To configure automatic login to vSphere Web Client 6.0, use the following settings when completing the previous procedures:
  • Port:
     443
  • Auto-Login Method:
      
    CA PAM
    HTTP Web SSO
  • Launch URL:
     
    https://<Local IP>:<First Port>
    /
    vsphere-client 
  • Address:
    Specify the vSphere server domain name. An IP address does not work. Example:
    vcenter.north.afc.nfl.local