«

»

Jun 03

OWA 2010 Form Based SSO

  1. I’ve been asked about this a few times recently so thought it worth a post.

As of version 10.69.4.nc NetScaler Gateway and AAA features support OWA 2010

In order to provide SSO when authentication on OWA is form based additional configuration is required.

Create a formSSOAction, this provide the NetScaler with the following information:
  • The page in which to complete the Form based SSO (/owa/auth.owa)
  • The field names to pass the username and password values to (username and password)
  • The cookie that deals with authentication for OWA (cadata)
  • The method in which to submit form data (post)

 

 

add vpn formSSOAction SSOPro_OWA -actionURL “/owa/auth.owa” -userField username -passwdField password -ssoSuccessRule “http.RES.SET_COOKIE.COOKIE(“cadata”).VALUE(“cadata”).LENGTH.GT(70)” -responsesize 15000 -submitMethod POST
 
Create a VPN traffic action that specifies SSO as well as the name of the formSSOAction created above.
 
add vpn trafficAction TrafAct_OWA HTTP -appTimeout 1 -SSO ON -formSSOAction SSOPro_OWA
 
add a VPN traffic Policy to specify at when this traffic action should be applied
 
add vpn trafficPolicy TrafPol_OWA “HTTP.REQ.URL.CONTAINS(“owa/auth/logon.aspx”)” TrafAct_OWA
 
bind this traffic action globally so as to apply to all NetScaler Gateway Vservers (alternatively this could be bound specifically to a single VPN VServer if more then one version of OWA was to be supported from an appliance)
 
bind vpn global -policyName TrafPol_OWA -priority 100
or
bind vpn vserver VSERVERNAME -policyName TrafPol_OWA -priority 1000
 
The PBack cookie value is usually set to zero when the user manually selects submit in OWA so a rewrite action is created to simulate this
add rewrite action set_pback_cookie insert_after “http.REQ.COOKIE.VALUE(“OutlookSession”)” “”;PBack=0″” -bypassSafetyCheck YES
 
A policy is created to specify when this rewrite policy should apply
 
add rewrite policy set_pback_cookie “http.REQ.URL.CONTAINS(“logon.aspx”)” set_pback_cookie
 
This is then bound globally as it should not effect other versions of OWA operating
 
bind rewrite global set_pback_cookie 100 END -type REQ_DEFAULT
 
 

3 comments

  1. Rosario

    I need to pass dynamically the original parameters flags and trusted as users can select on the original logon.aspx page. To do so I have rewritten and merged the original logon.aspx page with the tmindex.html page used on NetScaler. Everything works pretty well. If I put action=”https://myServer.myDomain/showRequest.php” into the FORM, I get also the parameters the users chooses. But if I let the call go through NetScaler’s /cgi/login the parameters are either overridden with the -nameValuePair “flags=4&trusted=4” you can set in the Form SSO Profiles. Despite choosing EXTRACTION = DYNAMIC, the parameters are simply overridden and not really taken from the FORM.

    Any suggestion? Thanks a lot Rosario

  2. Rosario

    Edit: I found a good way to implement parameter passing based on the client IP or other criteria here:

    http://www.jeffsani.com/downloads/owa_attachment_config.txt

    But I want our users also to be able to choose the light or full GUI version of OWA

  3. fadi zayoun

    Hello Sir ,

    appreciate if some one can help me !
    I am trying to configure an LDAP authentication through netscaler in order to get a SSO to OWA 2013.
    noting that i have also create a SSO session policy bounded to a AAA server with LDAP authentication .

    after that i Have create a rewrite and TM policy same as describe in this link : http://support.citrix.com/article/CTX134724
    but unfortunately i am not able to have a direct SSO 🙁

    any idea ??
    thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

AlphaOmega Captcha Classica  –  Enter Security Code
     
 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>