How to Configure Automatic Login to Web Portals

You can create services that manage access to web portals. You can set up manual login or automatic login. This topic describes how to set up automatic login to web portals.
You can create services that manage access to web portals. You can set up manual login or automatic login. This topic describes how to set up automatic login to web portals.
The following methods are available to log a user into a target web portal automatically:
  • PAM
    HTML Web SSO:
    Use this option when the login method that the web portal employs is HTML-based. This method is the most common.
    As a web page is loaded into the
    Browser, a JavaScript injection provides credentials to the web page HTML, then executes the login. This method requires that the administrator "teach"
    which login page widgets to use. Some widgets capture the username and the password while another widget acts as the login trigger. Examples of web portals that use this method include Dropbox and Google.
  • PAM
    HTTP Web SSO:
    Use this option when the login method that the web portal employs is the HTTP protocol.
    In this case,
    encodes login credentials and inserts them into a header. The header is appended onto each HTTP or HTTPS request. Examples of web portals that use this method include Microsoft SharePoint installations.
  • Built-in Auto-Login Methods:
    Built-in methods are also available. These built-in methods allow automatic login-in with the following specific web portals:
Configure a TCP/UDP Auto-Login Service
Create a TCP/UDP auto-login service that is associated with the web portal.
Follow these steps
  1. Navigate to
    Manage TCP/UDP Services
  2. Select
    to create a TCP/UDP service.
  3. For
    Service Name
    , specify a unique name that identifies the service, such as the name of the associated web portal.
  4. For
    Local IP
    , specify an
    local IPv4 address for this service. The local IP address is replaced by the address of the target device when the service is launched.
  5. For
    , define the ports or port range that the client application opens to gain access to the device. Example: 8000
  6. For
    Application Protocol
    , select Web Portal.
    More options appear on the right side of the page.
  7. For
    , select the appropriate method, as described previously:
    • PAM
      HTML Web SSO
      is best suited to websites that have user name and password entry fields. This method requires administrator configuration using the Learn Tool.
    • PAM
      HTTP Web SSO
      is best suited to websites that receive user names and passwords programmatically, such as through Windows Authentication. This method does not require using the Learn Tool.
    • SAML2.0 SSO POST
      requires information about the web portal SAML attributes. See Set Up SAML 2.0 SSO POST for Auto-Login for more information. 
  8. For
    Launch URL
    , follow the example URL. To access the URL
    , replace the target login address (
    ) with the target template
    <Local IP>:<First Port>
    . The resulting entry is:
    https://<Local IP>:<First Port>/login.html
  9. For
    Browser Type
    , select CA PAM Browser to enable session recording.
  10. For
    Access List
    , enter
    (an asterisk) as a wildcard. The
    Access List
    indicates the URLs that can be accessed along with the launch URL. During the Auto-Login, to login to the web portal, the launch URL is followed by other URLs pertaining to the response of login. Therefore, to Auto-Login to the web portal, the
    Access List
    must be either “*” or each host that is allowed access.
  11. Select
    to save the service.
Assign the Auto-Login Service to a Device
Add the newly created service to the device hosting the web portal. The device is then available for a policy. See Device Setup for more information about configuring a device.
Follow these steps:
  1. Select
    Devices, Manage Devices
  2. Add the target device hosting the web portal.
  3. Select the
    tab then select the new TCP/UDP service that you defined.
  4. Select
Create a Target Application, Target Account, and Policy
Configure a target application and account for the web portal. Completing these tasks enables the storage of credentials. The policy ties the users and the device together to access the web portal automatically.
Follow these steps:
  1. Select
    Credentials, Manage Targets, Applications
  2. Select
    , then complete the following fields:
    • Host Name:
      Use the magnifying glass
      icon to find and select the host name of the device hosting the web portal.
      Device Name
      is automatically populated.
    • Application Name:
      Enter a descriptive application name.
    • Application Type:
      Accept the default, Generic.
  3. Select 
    to save the target application.
  4. Select
    Credentials, Manage Targets, Accounts
  5. Select
    , then complete the following fields:
    • Application Name:
      Use the magnifying glass
      icon to find and select the application.
      Host Name
      is automatically filled.
    • Account Name:
      Enter the name of the account (user name) for logging in to the web portal. For example:
    • Password:
      Enter the password for the account.
  6. Select
    to save the target account.
  7. Select
    Policies, Manage Policies
  8. Select
    and set up a policy that associates an existing user or group to the device that hosts the automated login service.
  9. On the
    tab, select the Service that you created.
  10. In the Target Account column, use the Edit magnifying glass icon to select the Account.
  11. Select
If your target website uses the
HTML Web SSO method, you must configure a "learn" procedure to activate the portal for end users.
Set up a Learn Procedure for
For target websites that use the
HTML Web SSO method, perform a "learn" procedure to activate the portal for end users. An HTML auto-connection portal requires that the HTML field and button widgets be identified. These settings capture a login username and password and activate the browser to submit the username and password for login processing.
Follow these steps to set up the Learn procedure:
  1. Log in to the
  2. Go to the
    page. A Web Portal drop-down is now available with two services for this device, for example,
    MyApp (LEARN)
    • The
      option shows a red
      to its left. The administrator uses the Learn option to contact the login address and teach the service to recognize the target widgets. After the setup is successful, the red
      changes to a green checkmark. The checkmark indicates that access to the web portal is activated and is ready to use.
    • The
      option is for the actual login entry. The administrator must successfully apply the learn mode
      for the login service to function.
  3. Select the
    The learn tool launches the target web portal page, but you cannot log in. The window name in the browser title bar is prefaced with "Learn mode for Web SSO."
  4. For the service to use widgets for auto-login, teach the service where the widgets are located:
    1. Right-click In the
      User Name
      (or other name identifier) field to open the learning menu.
    2. Select
      Mark Accountname Field
      The field is populated with the placeholder field "
    3. Right-click in the
      field and select
      Mark Password Field
      The field is populated with an obfuscated password.
    4. Hover over the button to log in then right-click to select
      Mark Submit Button
    5. For any other required widgets for your portal, perform the required action for each widget. (There is no right-click menu item to select, and there is no feedback, but all action is recorded.)
    For example, to teach the service to learn the interface to another site, target the portal that requires LDAP authentication. In addition to teaching the service
    about the three widgets, select "LDAP" for the
    Authentication Type
    setting. Also, select the appropriate configured domain from the list. All these actions are preserved for auto-connection when you save them.
  5. In the upper-right corner of the browser window, select the Save
    auto-login template
    disk icon.
    The configuration is saved and the browser window closes.
  6. Repeat the learning process at any time to save new results.
  7. Return to the
    page. The learning option now has the green checkmark, indicating that the Learn option is complete.
When an end-user logs in to the UI, the
page now has a single access link without the learn-mode option. The user selects that link and gets auto-logged on to the target web portal.
Set Up SAML 2.0 SSO POST for Auto-Login
You can set up automatic login to third-party web portals that support SAML SSO, such as To configure many of the SAML SSO information fields and attributes for the Web Portal, you must refer to the third-party SAML provider instructions. Ideally, you want to import SAML 2.0 SP metadata from the provider as XML. See How to Configure the Product as an Identity Provider (IdP) for detailed information about setting up SAML authentication, including examples for AWS and Google applications.
See Configure a TCP/UDP Auto-Login Service for instruction on configuring the
Basic Info
tab of a TCP/UDP Service. When you select SAML 2.0 SSO POST as the
Auto-Login Method
, two tabs become active.
  1. On the
    Basic Info
    tab, use the Web Portal
    Entity ID
    as the
    Service Name
    . This value is often a domain name.
  2. For the
    Auto Login Method
    , select SAML 2.0 SSO POST.
    The SAML SSO Info and SAML SSO Attributes tabs become active.
  3. In the
    Launch URL
    field, enter the Assertion Consumer Service (ACS) URL of the RP.  The ACS URL is a combination of the
    web portal URL root and the ACS URL. For example, the web portal URL root is: "https://local_ipfirst_port". The ACS URL is:
    Resulting Launch URL is:
  4. Leave the
    Route Through
    checkbox selected. This option directs all traffic through
    . When this option is not selected, traffic goes directly to the web service from the client workstation.
  5. On the
    SAML SSO Info
    tab, enter the following information from the third-party RP:
    • SAML Entity ID:
      This ID is typically a domain name.
    • Initiating Party:
      Select which partner initiates the call.
      • SP Initiated
        If the user logs in to the SP/RP first, an authentication request is sent to the IdP to obtain the assertion. The returned assertion allows the SP to make a service access decision. (SAML 2.0 only)
      • IdP Initiated
        – The user logs in to the IdP to initiate connection and to obtain the assertion for a service at an SP.
    • Require Signed Authn Requests:
      This checkbox is selected by default. The SP must sign the authentication request that it sends to the IdP. To verify the signature, specify the supplied PEM signing certificate, gkcert.crt.
      in the PEM Signing Certificate field.
    • Encryption:
      By default, encryption is not enabled.
      Select whether
      encrypts, the Name ID or the Assertion
      then paste the base64 translation of X.509 certificate encryption certificate in the
      PEM Encryption Certificate
      field. Example:
      <ds:X509Data> <ds:X509Certificate>
  6. On the
    SAML SSO Attributes
    tab, select the appropriate
    SAML SSO Subject Name Identifier Formats
    for your web portal. If your provider requires an attribute that is not listed, provide the attribute in the
    Add a new SAML SSO
    section. Complete the fields for each entry.
    • Name: Specify the attribute name.
    • Friendly Name: assign a name or tag for use by the appliance. If the imported SP metadata does not provide the friendly name, the entry for the Name field is used.
    • Required: Select if the SP requires this attribute.
      You might have to add a SAML mapping on the
      tab of the Policy configuration.
  7. Select
  8. Follow the instructions in Assign the Auto-Login Service to a Device.
Automatic Login to vSphere Web Client 6.0 Configuration
To configure automatic login to vSphere Web Client 6.0, use the following settings when completing the previous procedures:
  • Port:
  • Auto-Login Method:
    HTTP Web SSO
  • Launch URL:
    https://<Local IP>:<First Port>
  • Address:
    Specify the vSphere server domain name. An IP address does not work. Example: