Jump to content

Web App - Form based SSO does not work


Recommended Posts

Posted

Trying to do Form based SSO towards a Web app that is running form based authentication.

 

I am having a LB vServer that does SSL offload of the web server (Port 80 to backend and SSL frontend on NS) accessed via a Content Switch.

 

I have AAA vServer in Form based mode, that is attached to the LB vServer together with the traffic policy.

 

When logging in to the AAA login page, i am being presented with the form based auth and not SSOed to the site.

 

running "nsconmsg -g sso_ -d current" shows:

 

svpn_tot_sso_cache_miss
svpn_tot_sso_formextraction_failed
svpn_tot_sso_form_fields_notfound
 

The Ns.log shows:

 

SSLVPN Message 3801 0 :  "FORMSSO: Could not find form in the response buffer of size 10 "
 
What I don´t understand why the ns.log states the above buffer size of 10 - because the response buffer size in the Form SSO Profile are set to 14202.
 
I have done Wireshark traces, fiddler traces etc. to find the correct Action URL and other fields required.
 
Finding the form fields was a bit tricky, as the form data was hidden. After decoding this, i think i found the correct fields for the form sso profile.
 
Any ideas?
 
Running NS 11.0 build 63.16nc
  • 2 weeks later...
Posted

Niclas - regarding :  "FORMSSO: Could not find form in the response buffer of size 10 "

I suspect the trafficPolicy expression configured might be 'too general' and NS is trying to parse other responses from backend which are matching your policy expression - and which do not necessary carry the login form.

Posted

So how to proceed in order to accomplish form based sso? :)

 

After making the action url more specfific in the form based sso profile, i see the following:

 

In ns.log:

 

0 :  "FORMSSO: Username 0x0 and/or Password 0x0 not found after matching url"
Oct 30 07:36:26 <local0.warn> 127.0.0.2 10/30/2015:06:36:26 GMT ns 0-PPE-0 : default SSLVPN Message 49224 0 :  "FORMSSO: Could not find form in the response buffer of size 14202 "
 

In nsconmsg:

 

 Index   rtime totalcount-val      delta rate/sec symbol-name&device-no

      0   14005           8832          1        0 svpn_tot_sso_cache_miss
      1       0           8815          2        0 svpn_tot_sso_no_triggers
      2       0              2          1        0 svpn_tot_sso_formextraction_failed
      3       0              2          1        0 svpn_tot_sso_form_fields_notfound
 
 
 
For me it here looks like the user name and password field cant be fetched from the form sso profile, as the values might be incorrect, but how could I troubleshoot this further?
 
The user name and password field I extracted from the ViewState encoded string in the form when browsing to the web site in developer mode.These fields are part of the AspNetHidden ViewState in the form post.
Posted
Now I only get this: FORMSSO: Could not find form in the response buffer of size 5395 "
 

Trying to find the correct response size / content-lengt of the form data, but no luck so far..... Looking in the Wireshark traces, Web debugger etc. no matter what I change the response size till the above error appears in the ns.log. and sso form extraction failed in the nsconmsg log.

 

And my traffic policy are getting hit.

 

:huh:

  • 3 years later...
Posted

Hi, I understand this post is old, I ran into the same issue. fortunately, I was able to get it working.

 

The WebApp I worked on is using heavy JS with AJAX calls. the Dynamic Extraction of the Netscaler form SSO profile was unable to grab discover all the form fields, hence failed the POST submission. 

 

I looked closely to the form fields that were submitted in chrome developer view and mimicked the POST with Extraction set to static and added the form fields that contained values under "Name Value Pair" and was successful. I think this is a better way of doing the SSO  as it saves some cycles on Netsclaer to discover the form fields and has no dependency on response size value any more :) 

 

 

the screenshot below has response size set to 15, can be anything. 

image.thumb.png.8e5c63b7dc9bf1debb8f07bbda619c8a.png

 

Chrome developer view POST. my WebApp only cared about the highlighted static field which was submitted as Name Value Pair in the Form SSO profile.

 

image.thumb.png.fc664d1818848641a50c527044586558.png

 

 

Note: This might not work in all cases eg:  when form fields contain dynamic values. Happy profiling... 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...