Hi

We have a requirement where there are multiple applications built on certain legacy Java frameworks and take care of the authentication and authorization themselves.

We want to integrate those applications with ISVA but unfortunately those applications can't afford a bare minimal customization as this point.Hence the only possible way that we are looking at is to have ISVA fill up the form for them on behalf of the user through Forms-Single-Sign-On a.k.a FSSO.

Questions:-

1.Can we have ISVA authenticate the user's credentials through normal Forms based authentication and then provide the same credentials to fill up the FSSO form?

2.If the above point is feasible,can we enable MFA,CAPTCHA to be handled on ISVA before FSSO kicks-in?

As I type,I sense a customized GSO is probably a way.I am looking for some direction here.

Thanks

Aditya

Hi

We have a requirement where there are multiple applications built on certain legacy Java frameworks and take care of the authentication and authorization themselves.

We want to integrate those applications with ISVA but unfortunately those applications can't afford a bare minimal customization as this point.Hence the only possible way that we are looking at is to have ISVA fill up the form for them on behalf of the user through Forms-Single-Sign-On a.k.a FSSO.

Questions:-

1.Can we have ISVA authenticate the user's credentials through normal Forms based authentication and then provide the same credentials to fill up the FSSO form?

2.If the above point is feasible,can we enable MFA,CAPTCHA to be handled on ISVA before FSSO kicks-in?

As I type,I sense a customized GSO is probably a way.I am looking for some direction here.

Thanks

Aditya

Thanks much Scott for your response.

We use ISAM lite and when I see the documentation,it says GSO is not supported.

So I am back to square one.

I am trying to understand the internal mechanics when ISAM leverages FSSO in the scenarios when ISAM is integrated with AD and when ISAM lite uses AD.

1. ISAM integrated with AD(normal integration NOT lite)

a. Does ISAM obtain the userPassword from AD to fill a form in FSSO even if it is encrypted in AD?

2.ISAM lite

a.Can the userPassword from AD still be obtained from AD to fill a form in FSSO?

Thanks

Aditya

Hi

We have a requirement where there are multiple applications built on certain legacy Java frameworks and take care of the authentication and authorization themselves.

We want to integrate those applications with ISVA but unfortunately those applications can't afford a bare minimal customization as this point.Hence the only possible way that we are looking at is to have ISVA fill up the form for them on behalf of the user through Forms-Single-Sign-On a.k.a FSSO.

Questions:-

1.Can we have ISVA authenticate the user's credentials through normal Forms based authentication and then provide the same credentials to fill up the FSSO form?

2.If the above point is feasible,can we enable MFA,CAPTCHA to be handled on ISVA before FSSO kicks-in?

As I type,I sense a customized GSO is probably a way.I am looking for some direction here.

Thanks

Aditya

Thanks much Scott for your response.

We use ISAM lite and when I see the documentation,it says GSO is not supported.

So I am back to square one.

I am trying to understand the internal mechanics when ISAM leverages FSSO in the scenarios when ISAM is integrated with AD and when ISAM lite uses AD.

1. ISAM integrated with AD(normal integration NOT lite)

a. Does ISAM obtain the userPassword from AD to fill a form in FSSO even if it is encrypted in AD?

2.ISAM lite

a.Can the userPassword from AD still be obtained from AD to fill a form in FSSO?

Thanks

Aditya

Hi

We have a requirement where there are multiple applications built on certain legacy Java frameworks and take care of the authentication and authorization themselves.

We want to integrate those applications with ISVA but unfortunately those applications can't afford a bare minimal customization as this point.Hence the only possible way that we are looking at is to have ISVA fill up the form for them on behalf of the user through Forms-Single-Sign-On a.k.a FSSO.

Questions:-

1.Can we have ISVA authenticate the user's credentials through normal Forms based authentication and then provide the same credentials to fill up the FSSO form?

2.If the above point is feasible,can we enable MFA,CAPTCHA to be handled on ISVA before FSSO kicks-in?

As I type,I sense a customized GSO is probably a way.I am looking for some direction here.

Thanks

Aditya

Hi Scott

Here's the link.

https://www.ibm.com/docs/en/sva/9.0.2?topic=registries-configuring-runtime-authenticate-basic-users

Thanks

Aditya

Thanks much Scott for your response.

We use ISAM lite and when I see the documentation,it says GSO is not supported.

So I am back to square one.

I am trying to understand the internal mechanics when ISAM leverages FSSO in the scenarios when ISAM is integrated with AD and when ISAM lite uses AD.

1. ISAM integrated with AD(normal integration NOT lite)

a. Does ISAM obtain the userPassword from AD to fill a form in FSSO even if it is encrypted in AD?

2.ISAM lite

a.Can the userPassword from AD still be obtained from AD to fill a form in FSSO?

Thanks

Aditya

Hi

We have a requirement where there are multiple applications built on certain legacy Java frameworks and take care of the authentication and authorization themselves.

We want to integrate those applications with ISVA but unfortunately those applications can't afford a bare minimal customization as this point.Hence the only possible way that we are looking at is to have ISVA fill up the form for them on behalf of the user through Forms-Single-Sign-On a.k.a FSSO.

Questions:-

1.Can we have ISVA authenticate the user's credentials through normal Forms based authentication and then provide the same credentials to fill up the FSSO form?

2.If the above point is feasible,can we enable MFA,CAPTCHA to be handled on ISVA before FSSO kicks-in?

As I type,I sense a customized GSO is probably a way.I am looking for some direction here.

Thanks

Aditya

Hi Scott

Here's the link.

https://www.ibm.com/docs/en/sva/9.0.2?topic=registries-configuring-runtime-authenticate-basic-users

Thanks

Aditya

Thanks much Scott for your response.

We use ISAM lite and when I see the documentation,it says GSO is not supported.

So I am back to square one.

I am trying to understand the internal mechanics when ISAM leverages FSSO in the scenarios when ISAM is integrated with AD and when ISAM lite uses AD.

1. ISAM integrated with AD(normal integration NOT lite)

a. Does ISAM obtain the userPassword from AD to fill a form in FSSO even if it is encrypted in AD?

2.ISAM lite

a.Can the userPassword from AD still be obtained from AD to fill a form in FSSO?

Thanks

Aditya

Hi

We have a requirement where there are multiple applications built on certain legacy Java frameworks and take care of the authentication and authorization themselves.

We want to integrate those applications with ISVA but unfortunately those applications can't afford a bare minimal customization as this point.Hence the only possible way that we are looking at is to have ISVA fill up the form for them on behalf of the user through Forms-Single-Sign-On a.k.a FSSO.

Questions:-

1.Can we have ISVA authenticate the user's credentials through normal Forms based authentication and then provide the same credentials to fill up the FSSO form?

2.If the above point is feasible,can we enable MFA,CAPTCHA to be handled on ISVA before FSSO kicks-in?

As I type,I sense a customized GSO is probably a way.I am looking for some direction here.

Thanks

Aditya

Thanks Scott.

The user passwords are stored only in AD,so we wouldn't be invoking a GSO webservice.

1. User accesses a WebSeal URL.
2. WebSeal authenticates the user against AD.
3. WebSeal redirects the user based on the URL to the respective legacy application specific junction
4. The legacy application throws the login page again.As mentioned in the post,these are legacy applications and due to certain reasons can't be tweaked to make SSO work.And this is where I felt a Forms-Single-Sign-On would work.
5. If FSSO works,then the application's login page is populated by WebSeal with the uid/pwd of the user and the application again does the authentication against AD.This is a bit weird because while it appears as SSO to the end user,the user is actually authenticated against the same AD due to the reason mentioned above.

Thanks

Aditya

Hi Scott

Here's the link.

https://www.ibm.com/docs/en/sva/9.0.2?topic=registries-configuring-runtime-authenticate-basic-users

Thanks

Aditya

Thanks much Scott for your response.

We use ISAM lite and when I see the documentation,it says GSO is not supported.

So I am back to square one.

I am trying to understand the internal mechanics when ISAM leverages FSSO in the scenarios when ISAM is integrated with AD and when ISAM lite uses AD.

1. ISAM integrated with AD(normal integration NOT lite)

a. Does ISAM obtain the userPassword from AD to fill a form in FSSO even if it is encrypted in AD?

2.ISAM lite

a.Can the userPassword from AD still be obtained from AD to fill a form in FSSO?

Thanks

Aditya

Hi

We have a requirement where there are multiple applications built on certain legacy Java frameworks and take care of the authentication and authorization themselves.

We want to integrate those applications with ISVA but unfortunately those applications can't afford a bare minimal customization as this point.Hence the only possible way that we are looking at is to have ISVA fill up the form for them on behalf of the user through Forms-Single-Sign-On a.k.a FSSO.

Questions:-

1.Can we have ISVA authenticate the user's credentials through normal Forms based authentication and then provide the same credentials to fill up the FSSO form?

2.If the above point is feasible,can we enable MFA,CAPTCHA to be handled on ISVA before FSSO kicks-in?

As I type,I sense a customized GSO is probably a way.I am looking for some direction here.

Thanks

Aditya

Thanks Scott.

The user passwords are stored only in AD,so we wouldn't be invoking a GSO webservice.

1. User accesses a WebSeal URL.
2. WebSeal authenticates the user against AD.
3. WebSeal redirects the user based on the URL to the respective legacy application specific junction
4. The legacy application throws the login page again.As mentioned in the post,these are legacy applications and due to certain reasons can't be tweaked to make SSO work.And this is where I felt a Forms-Single-Sign-On would work.
5. If FSSO works,then the application's login page is populated by WebSeal with the uid/pwd of the user and the application again does the authentication against AD.This is a bit weird because while it appears as SSO to the end user,the user is actually authenticated against the same AD due to the reason mentioned above.

Thanks

Aditya

Hi Scott

Here's the link.

https://www.ibm.com/docs/en/sva/9.0.2?topic=registries-configuring-runtime-authenticate-basic-users

Thanks

Aditya

Thanks much Scott for your response.

We use ISAM lite and when I see the documentation,it says GSO is not supported.

So I am back to square one.

I am trying to understand the internal mechanics when ISAM leverages FSSO in the scenarios when ISAM is integrated with AD and when ISAM lite uses AD.

1. ISAM integrated with AD(normal integration NOT lite)

a. Does ISAM obtain the userPassword from AD to fill a form in FSSO even if it is encrypted in AD?

2.ISAM lite

a.Can the userPassword from AD still be obtained from AD to fill a form in FSSO?

Thanks

Aditya

Hi

We have a requirement where there are multiple applications built on certain legacy Java frameworks and take care of the authentication and authorization themselves.

We want to integrate those applications with ISVA but unfortunately those applications can't afford a bare minimal customization as this point.Hence the only possible way that we are looking at is to have ISVA fill up the form for them on behalf of the user through Forms-Single-Sign-On a.k.a FSSO.

Questions:-

1.Can we have ISVA authenticate the user's credentials through normal Forms based authentication and then provide the same credentials to fill up the FSSO form?

2.If the above point is feasible,can we enable MFA,CAPTCHA to be handled on ISVA before FSSO kicks-in?

As I type,I sense a customized GSO is probably a way.I am looking for some direction here.

Thanks

Aditya

Thanks Scott.

The user passwords are stored only in AD,so we wouldn't be invoking a GSO webservice.

1. User accesses a WebSeal URL.
2. WebSeal authenticates the user against AD.
3. WebSeal redirects the user based on the URL to the respective legacy application specific junction
4. The legacy application throws the login page again.As mentioned in the post,these are legacy applications and due to certain reasons can't be tweaked to make SSO work.And this is where I felt a Forms-Single-Sign-On would work.
5. If FSSO works,then the application's login page is populated by WebSeal with the uid/pwd of the user and the application again does the authentication against AD.This is a bit weird because while it appears as SSO to the end user,the user is actually authenticated against the same AD due to the reason mentioned above.

Thanks

Aditya

Hi Scott

Here's the link.

https://www.ibm.com/docs/en/sva/9.0.2?topic=registries-configuring-runtime-authenticate-basic-users

Thanks

Aditya

Thanks much Scott for your response.

We use ISAM lite and when I see the documentation,it says GSO is not supported.

So I am back to square one.

I am trying to understand the internal mechanics when ISAM leverages FSSO in the scenarios when ISAM is integrated with AD and when ISAM lite uses AD.

1. ISAM integrated with AD(normal integration NOT lite)

a. Does ISAM obtain the userPassword from AD to fill a form in FSSO even if it is encrypted in AD?

2.ISAM lite

a.Can the userPassword from AD still be obtained from AD to fill a form in FSSO?

Thanks

Aditya

Hi

We have a requirement where there are multiple applications built on certain legacy Java frameworks and take care of the authentication and authorization themselves.

We want to integrate those applications with ISVA but unfortunately those applications can't afford a bare minimal customization as this point.Hence the only possible way that we are looking at is to have ISVA fill up the form for them on behalf of the user through Forms-Single-Sign-On a.k.a FSSO.

Questions:-

1.Can we have ISVA authenticate the user's credentials through normal Forms based authentication and then provide the same credentials to fill up the FSSO form?

2.If the above point is feasible,can we enable MFA,CAPTCHA to be handled on ISVA before FSSO kicks-in?

As I type,I sense a customized GSO is probably a way.I am looking for some direction here.

Thanks

Aditya

Another option would be using AAC or your own EAI to code an interceptor - similar to what Scot mentioned - but use the PW to directly authenticate the user with the app and establish the WebSEAL session via EAI

Thanks Scott.

The user passwords are stored only in AD,so we wouldn't be invoking a GSO webservice.

1. User accesses a WebSeal URL.
2. WebSeal authenticates the user against AD.
3. WebSeal redirects the user based on the URL to the respective legacy application specific junction
4. The legacy application throws the login page again.As mentioned in the post,these are legacy applications and due to certain reasons can't be tweaked to make SSO work.And this is where I felt a Forms-Single-Sign-On would work.
5. If FSSO works,then the application's login page is populated by WebSeal with the uid/pwd of the user and the application again does the authentication against AD.This is a bit weird because while it appears as SSO to the end user,the user is actually authenticated against the same AD due to the reason mentioned above.

Thanks

Aditya

Hi Scott

Here's the link.

https://www.ibm.com/docs/en/sva/9.0.2?topic=registries-configuring-runtime-authenticate-basic-users

Thanks

Aditya

Thanks much Scott for your response.

We use ISAM lite and when I see the documentation,it says GSO is not supported.

So I am back to square one.

I am trying to understand the internal mechanics when ISAM leverages FSSO in the scenarios when ISAM is integrated with AD and when ISAM lite uses AD.

1. ISAM integrated with AD(normal integration NOT lite)

a. Does ISAM obtain the userPassword from AD to fill a form in FSSO even if it is encrypted in AD?

2.ISAM lite

a.Can the userPassword from AD still be obtained from AD to fill a form in FSSO?

Thanks

Aditya

Hi

We have a requirement where there are multiple applications built on certain legacy Java frameworks and take care of the authentication and authorization themselves.

We want to integrate those applications with ISVA but unfortunately those applications can't afford a bare minimal customization as this point.Hence the only possible way that we are looking at is to have ISVA fill up the form for them on behalf of the user through Forms-Single-Sign-On a.k.a FSSO.

Questions:-

1.Can we have ISVA authenticate the user's credentials through normal Forms based authentication and then provide the same credentials to fill up the FSSO form?

2.If the above point is feasible,can we enable MFA,CAPTCHA to be handled on ISVA before FSSO kicks-in?

As I type,I sense a customized GSO is probably a way.I am looking for some direction here.

Thanks

Aditya

It might be worth mentioning that AAC has an inbuilt credential storage mechanism, for 'basic user' use cases, and additionally ISVA RP can be configured to 'learn credentials' on first use with a Forms SSO use case. 

So a user might be presented with the application login form on first access, and then save them for subsequent replay down the road. 

https://www.ibm.com/docs/en/sva/10.0.6?topic=administration-configuring-password-vault

Another option would be using AAC or your own EAI to code an interceptor - similar to what Scot mentioned - but use the PW to directly authenticate the user with the app and establish the WebSEAL session via EAI

Thanks Scott.

The user passwords are stored only in AD,so we wouldn't be invoking a GSO webservice.

1. User accesses a WebSeal URL.
2. WebSeal authenticates the user against AD.
3. WebSeal redirects the user based on the URL to the respective legacy application specific junction
4. The legacy application throws the login page again.As mentioned in the post,these are legacy applications and due to certain reasons can't be tweaked to make SSO work.And this is where I felt a Forms-Single-Sign-On would work.
5. If FSSO works,then the application's login page is populated by WebSeal with the uid/pwd of the user and the application again does the authentication against AD.This is a bit weird because while it appears as SSO to the end user,the user is actually authenticated against the same AD due to the reason mentioned above.

Thanks

Aditya

Hi Scott

Here's the link.

https://www.ibm.com/docs/en/sva/9.0.2?topic=registries-configuring-runtime-authenticate-basic-users

Thanks

Aditya

Thanks much Scott for your response.

We use ISAM lite and when I see the documentation,it says GSO is not supported.

So I am back to square one.

I am trying to understand the internal mechanics when ISAM leverages FSSO in the scenarios when ISAM is integrated with AD and when ISAM lite uses AD.

1. ISAM integrated with AD(normal integration NOT lite)

a. Does ISAM obtain the userPassword from AD to fill a form in FSSO even if it is encrypted in AD?

2.ISAM lite

a.Can the userPassword from AD still be obtained from AD to fill a form in FSSO?

Thanks

Aditya

Hi

We have a requirement where there are multiple applications built on certain legacy Java frameworks and take care of the authentication and authorization themselves.

We want to integrate those applications with ISVA but unfortunately those applications can't afford a bare minimal customization as this point.Hence the only possible way that we are looking at is to have ISVA fill up the form for them on behalf of the user through Forms-Single-Sign-On a.k.a FSSO.

Questions:-

1.Can we have ISVA authenticate the user's credentials through normal Forms based authentication and then provide the same credentials to fill up the FSSO form?

2.If the above point is feasible,can we enable MFA,CAPTCHA to be handled on ISVA before FSSO kicks-in?

As I type,I sense a customized GSO is probably a way.I am looking for some direction here.

Thanks

Aditya