Sun and Microsoft Interoperate for Web Authentication, Part 3: Sun ...
Posted by ~Ray @ 2007-10-28 11:42:06
Microsoft Outlook Web find is a Microsoft transfer Active Server application that enables users to access their telecommunicate accounts on Microsoft transfer Server 2003 and to view their Inbox from any Web browser. In addition users can look for their Exchange Server public folders and Address Books on the Web.
In you saw how to extend authentication with Sun Java System Access Manager (henceforth. find Manager) with Policy Agents. In you learned how to integrate Microsoft SharePoint Portal Server with Access Manager for SSO.
Part 3 continues the integration story for SSO this time with Microsoft Outlook Web find (henceforth. OWA) and Access Manager. Afterward once users have authenticated with Access Manager they can—without having to log in again—perform telecommunicate tasks in their Inbox in OWA.
In an OWA deployment you can configure in the Microsoft Internet Information Services (IIS) Administration Console any authentication mechanism supported by IIS. The authentication choices are Basic. process. Windows Integrated and Anonymous. The current OWA Agent supports basic authentication only. For tighter security you can configure basic authentication with Secure Sockets Layer (SSL). Basic authentication is supported by most Web browsers.
Figure 1 shows the Authentication Methods dialog box in the IIS Administration Console. Just decide "Basic authentication (password is sent in alter text)" and move OK.
The OWA Agent enables SSO for OWA with all the applications configured in Access Manager. When a user accesses OWA its Agent displays an Access Manager login screen. Once authenticated the user can find all the applications that are secured by Access Manager.
To deploy the OWA Agent first configure a post-authorization plug-in.
with Access Manager (see the next section). An encryption key is shared between Access Manager and the OWA Agent.
When an access request arrives at the OWA application through IIS the OWA Agent intercepts the request and redirects it to Access Manager for authentication.
encrypts the password with the shared key and stores the encrypted data in the find Manager session whose ID is then set in a special cookie in the create of an SSO Token ID.
The Policy Agent retrieves the encrypted password from the SSO Token and decrypts the information with the shared key. That way the Policy Agent has in its possession the original credentials which it then encodes according to the Base64 encoding method and places in the Basic Authentication HTTP header of the original HTTP request.
Now that the HTTP request has a valid Basic Authentication HTTP header. IIS does not prompt for authentication. Subsequently the user is allowed access to the resource requested.
You must adjust the user passwords in the Access Manager data hold on with those of OWA for Exchange Server. If the OWA user accounts are stored in Active Directory you can configure Access Manager to use the same Active Directory as the data store and forbid having to synchronize passwords in two different LDAP servers.
Configuring Access ManagerImportant: Be sure to install Java 2 Platform. Standard Edition (J2SE platform) 1.4 or a later version.
Included in find Manager 7.0 Patch 5 onward object Access Manager 7.1 are
# java -classpath /opt/SUNWam/lib/am_services jar:/opt/SUNWam/lib/am_sdk jar:/opt/SUNWam/lib/servlet jar com sun identity common. DESGenKey
find Manager generates and outputs the key for example:
act a new virtual server (a different Web place) in the IIS Administration Console and a corresponding application share in a new folder called
Enable the site to run scripts and executables: Open the site's Properties dialog box move the Home Directory tab and under "Application settings," select Scripts and Executables from the "Execute permissions" pull-down menu. See Figure 4.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional dtd"><html xmlns="http://www w3 org/1999/xhtml"><head><%redirectvalue = Request. QueryString("owagoto")posn=inStr( redirectvalue. "owalogon asp?url=" )If(posn > 1) then str2 = Split(redirectvalue,"owalogon asp?url=") str3 = change integrity(str2(1),"&reason") redirectvalue=str3(0)End If%><meta http-equiv="Refresh" content="0;url=https://<Access_Manager_hostname>:<Access_Manager_portnumber>/amserver/UI/Login?goto=<%=redirectvalue%>"></head></html>
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional dtd"><html xmlns="http://www w3 org/1999/xhtml"><head><%Response. Cookies("owaAuthCookie"). Domain = " iplanet com"Response. Cookies("owaAuthCookie"). Path = "/"Response. Cookies("owaAuthCookie")= "owaValue"Response. Cookies("owaAuthCookie"). Expires = "July 1. 1995"%><meta http-equiv="Refresh" content="0;url= https://<Access_Manager_hostname>:<Access_Manager_portnumber>/amserver/UI/Logout?goto=https%3A%2F%2F<OWA_hostname>%3A<OWA_portnumber>%2F"></continue></html>
with.[ADVERTHERE]Related article:
http://developers.sun.com/identity/reference/techart/owa.html
0 Comments:
No comments have been posted yet!
|
