How to Configure Automatic Login to Web Portals
You can create services that manage access to web portals. You can set up manual login or automatic login. This topic describes how to set up automatic login to web portals.
capam32
You can create services that manage access to web portals. You can set up manual login or automatic login. This topic describes how to set up automatic login to web portals.
2
The following methods are available to log a user into a target web portal automatically:
- Use this option when the login method that the web portal employs is HTML-based. This method is the most common.PAMHTML Web SSO:As a web page is loaded into thePAMBrowser, a JavaScript injection provides credentials to the web page HTML, then executes the login. This method requires that the administrator "teach"PAMwhich login page widgets to use. Some widgets capture the username and the password while another widget acts as the login trigger. Examples of web portals that use this method include Dropbox and Google.
- Use this option when the login method that the web portal employs is the HTTP protocol.PAMHTTP Web SSO:In this case,PAMencodes login credentials and inserts them into a header. The header is appended onto each HTTP or HTTPS request. Examples of web portals that use this method include Microsoft SharePoint installations.
- Built-in Auto-Login Methods:Built-in methods are also available. These built-in methods allow automatic login-in with the following specific web portals:
- VMware vCloud Director
- VMware vShield Manager
- VMware vSphere Web Client v5The VMware vSphere Web Client v5 auto login method is only suitable for vSphere v5. To configure auto login for vSphere Web Client 6.0, see Automatic Login to vSphere Web Client 6.0 Configuration.
Configure a TCP/UDP Auto-Login Service
Create a TCP/UDP auto-login service that is associated with the web portal.
Follow these steps
:- Navigate toServices,Manage TCP/UDP Services.
- SelectAddto create a TCP/UDP service.
- ForService Name, specify a unique name that identifies the service, such as the name of the associated web portal.
- ForLocal IP, specify anunusedlocal IPv4 address for this service. The local IP address is replaced by the address of the target device when the service is launched.
- ForPorts, define the ports or port range that the client application opens to gain access to the device. Example: 8000
- ForApplication Protocol, select Web Portal.More options appear on the right side of the page.
- ForAuto-LoginMethod, select the appropriate method, as described previously:
- is best suited to websites that have user name and password entry fields. This method requires administrator configuration using the Learn Tool.PAMHTML Web SSO
- is best suited to websites that receive user names and passwords programmatically, such as through Windows Authentication. This method does not require using the Learn Tool.PAMHTTP Web SSO
- SAML2.0 SSO POSTrequires information about the web portal SAML attributes. See Set Up SAML 2.0 SSO POST for Auto-Login for more information.
- ForLaunch URL, follow the example URL. To access the URLhttps://www.forwardinc.com/login.html, replace the target login address (www.forwardinc.com) with the target template<Local IP>:<First Port>. The resulting entry is:https://<Local IP>:<First Port>/login.html
- ForBrowser Type, select CA PAM Browser to enable session recording.
- ForAccess List, enter*(an asterisk) as a wildcard. TheAccess Listindicates the URLs that can be accessed along with the launch URL. During the Auto-Login, to login to the web portal, the launch URL is followed by other URLs pertaining to the response of login. Therefore, to Auto-Login to the web portal, theAccess Listmust be either “*” or each host that is allowed access.
- SelectOKto save the service.
Assign the Auto-Login Service to a Device
Add the newly created service to the device hosting the web portal. The device is then available for a policy. See Device Setup for more information about configuring a device.
Follow these steps:
- SelectDevices, Manage Devices.
- Add the target device hosting the web portal.
- Select theServicestab then select the new TCP/UDP service that you defined.
- SelectOK.
Create a Target Application, Target Account, and Policy
Configure a target application and account for the web portal. Completing these tasks enables the storage of credentials. The policy ties the users and the device together to access the web portal automatically.
Follow these steps:
- SelectCredentials, Manage Targets, Applications.
- SelectAdd, then complete the following fields:
- Host Name:Use the magnifying glassSelecticon to find and select the host name of the device hosting the web portal.Device Nameis automatically populated.
- Application Name:Enter a descriptive application name.
- Application Type:Accept the default, Generic.
- SelectOKto save the target application.
- SelectCredentials, Manage Targets, Accounts.
- SelectAdd, then complete the following fields:
- Application Name:Use the magnifying glassSelecticon to find and select the application.Host Nameis automatically filled.
- Account Name:Enter the name of the account (user name) for logging in to the web portal. For example:admin.
- Password:Enter the password for the account.
- SelectOKto save the target account.
- SelectPolicies, Manage Policies.
- SelectAddand set up a policy that associates an existing user or group to the device that hosts the automated login service.
- On theServicestab, select the Service that you created.
- In the Target Account column, use the Edit magnifying glass icon to select the Account.
- SelectOK.
If your target website uses the
PAM
HTML Web SSO method, you must configure a "learn" procedure to activate the portal for end users.Set up a Learn Procedure for
PAM
HTML Web SSOFor target websites that use the
PAM
HTML Web SSO method, perform a "learn" procedure to activate the portal for end users. An HTML auto-connection portal requires that the HTML field and button widgets be identified. These settings capture a login username and password and activate the browser to submit the username and password for login processing.Follow these steps to set up the Learn procedure:
- Log in to thePAMUI.
- Go to theAccesspage. A Web Portal drop-down is now available with two services for this device, for example,MyApp (LEARN)andMyApp.
- TheLearnoption shows a redXto its left. The administrator uses the Learn option to contact the login address and teach the service to recognize the target widgets. After the setup is successful, the redXchanges to a green checkmark. The checkmark indicates that access to the web portal is activated and is ready to use.
- TheLoginoption is for the actual login entry. The administrator must successfully apply the learn modefirstfor the login service to function.
- Select theLearnoption.The learn tool launches the target web portal page, but you cannot log in. The window name in the browser title bar is prefaced with "Learn mode for Web SSO."
- For the service to use widgets for auto-login, teach the service where the widgets are located:
- Right-click In theUser Name(or other name identifier) field to open the learning menu.
- SelectMark Accountname Field.The field is populated with the placeholder field "accountname."
- Right-click in thePasswordfield and selectMark Password Field.The field is populated with an obfuscated password.
- Hover over the button to log in then right-click to selectMark Submit Button.
- For any other required widgets for your portal, perform the required action for each widget. (There is no right-click menu item to select, and there is no feedback, but all action is recorded.)
about the three widgets, select "LDAP" for theAuthentication Typesetting. Also, select the appropriate configured domain from the list. All these actions are preserved for auto-connection when you save them. - In the upper-right corner of the browser window, select the Saveauto-login templatedisk icon.The configuration is saved and the browser window closes.
- Repeat the learning process at any time to save new results.
- Return to theAccesspage. The learning option now has the green checkmark, indicating that the Learn option is complete.
When an end-user logs in to the UI, the
Access
page now has a single access link without the learn-mode option. The user selects that link and gets auto-logged on to the target web portal.
Set Up SAML 2.0 SSO POST for Auto-Login
You can set up automatic login to third-party web portals that support SAML SSO, such as Google.com. To configure many of the SAML SSO information fields and attributes for the Web Portal, you must refer to the third-party SAML provider instructions. Ideally, you want to import SAML 2.0 SP metadata from the provider as XML. See How to Configure the Product as an Identity Provider (IdP) for detailed information about setting up SAML authentication, including examples for AWS and Google applications.
See Configure a TCP/UDP Auto-Login Service for instruction on configuring the
Basic Info
tab of a TCP/UDP Service. When you select SAML 2.0 SSO POST as the Auto-Login Method
, two tabs become active. - On theBasic Infotab, use the Web PortalEntity IDas theService Name. This value is often a domain name.
- For theAuto Login Method, select SAML 2.0 SSO POST.The SAML SSO Info and SAML SSO Attributes tabs become active.
- In theLaunch URLfield, enter the Assertion Consumer Service (ACS) URL of the RP. The ACS URL is a combination of thePAMweb portal URL root and the ACS URL. For example, the web portal URL root is: "https://local_ipfirst_port". The ACS URL is:https://capamAsSp.example.com/samlsp/module.php/saml/sp/saml2-acs.php/capam-default-spResulting Launch URL is:https://111.12.123.21:239/samlsp/module.php/saml/sp/saml2-acs.php/capam-default-sp
- Leave theRoute Throughcheckbox selected. This option directs all traffic throughPAMPAM. When this option is not selected, traffic goes directly to the web service from the client workstation.
- On theSAML SSO Infotab, enter the following information from the third-party RP:
- SAML Entity ID:This ID is typically a domain name.
- Initiating Party:Select which partner initiates the call.
- SP Initiated(default):If the user logs in to the SP/RP first, an authentication request is sent to the IdP to obtain the assertion. The returned assertion allows the SP to make a service access decision. (SAML 2.0 only)
- IdP Initiated– The user logs in to the IdP to initiate connection and to obtain the assertion for a service at an SP.
- Require Signed Authn Requests:This checkbox is selected by default. The SP must sign the authentication request that it sends to the IdP. To verify the signature, specify the supplied PEM signing certificate, gkcert.crt.in the PEM Signing Certificate field.
- Encryption:By default, encryption is not enabled.Select whetherPAMencrypts, the Name ID or the Assertion,then paste the base64 translation of X.509 certificate encryption certificate in thePEM Encryption Certificatefield. Example:<ds:X509Data> <ds:X509Certificate>encodedContent</ds:X509Certificate>
- On theSAML SSO Attributestab, select the appropriateSAML SSO Subject Name Identifier Formatsfor your web portal. If your provider requires an attribute that is not listed, provide the attribute in theAdd a new SAML SSOAttributesection. Complete the fields for each entry.
- Name: Specify the attribute name.
- Friendly Name: assign a name or tag for use by the appliance. If the imported SP metadata does not provide the friendly name, the entry for the Name field is used.
- Required: Select if the SP requires this attribute.You might have to add a SAML mapping on theSAMLtab of the Policy configuration.
- SelectOK.
- Follow the instructions in Assign the Auto-Login Service to a Device.
- Follow the instructions in Create a Target Application, Target Account, and Policy.
Automatic Login to vSphere Web Client 6.0 Configuration
To configure automatic login to vSphere Web Client 6.0, use the following settings when completing the previous procedures:
- Port:443
- Auto-Login Method:PAMHTTP Web SSO
- Launch URL:https://<Local IP>:<First Port>/vsphere-client
- Address:Specify the vSphere server domain name. An IP address does not work. Example:vcenter.north.afc.nfl.local