This article describes how to use a single sign-on script in Smart ID Digital Access component. As web sites grow more and more resistant to automation, you might need to use a script, to make single sign-on (SSO) function as intended.
Note |
---|
This implementation is not able to pick up and act on invalid SSO data. This means that if the password for a user in the target system has been changed, it will not be learned automatically |
...
...
, as with other SSO types, for example, Formbased and Adaptive. |
The method works by intercepting the request from the login form submit and replacing dummy values with real SSO data, when the Access Point passes the request on to the internal resource. In order to make this work, a Java script is inserted in the web page using the WASCR technique.
...
Prerequisites
...
...
...
...
Digital Access Admin with an administrator account.
|
...
...
Digital Access Admin, click Browse. Upload the provided files (without changing the file names) to access-point
|
...
...
...
Digital Access Admin, go to Manage Resource Access. Click Global Resource Settings. Go to the Filters tab and click Add Filter... Add these three filters and configure them as follows:
Information about the filters This table gives information about the filters: sso_set_username | This filter picks up a dummy-string, in this case: secret_username, and replaces it with the correct sso username in the request from the user to the internal server. This is a server side operation only so the username will never reach the end user or traverse to the client. |
---|
sso_set_password | This filter picks up a dummy-string, in this case: secret_password, and replaces it with the correct sso password in the request from the user to the internal server. This is a server side operation only so the password will never reach the end user or traverse to the client. |
---|
Inject_script | This filter injects a script in the login form web page that will prefill the values of the login form controls with the dummy strings secret_username and secret_password and auto-submit the form. |
---|
|
Expand |
---|
title | Information when configuring the filters |
---|
|
Regarding the path The path should be the target of the post, that is, what the form is configured to post its reply to. No web service is equal to another and sometimes this might not be a possible approach. The web page may post back to itself for example. So if a path can not be used, for whatever reason, use a * as path. This means that all requests will be inspected. In that case it is better to replace the dummy strings with something that will not under any circumstances be posted, to make sure not to replace other values. It could, for example, be that the web service actually has a reference to the string secret_username and in that case secret_username should be replaced with something random. For example, replace secret_username with hag_secret_username_lesuhfow8h2. The scripts must be edited accordingly. In the case of problems or questions contact Nexus Technical Support. Regarding the script variable in Inject_script The getElementById function calls are searching for the form fields Password, Username and LoginButton in the HTML of the login form. These are most likely named differently in other systems and must be updated accordingly by inspecting the HTML of the login form of the system that should be provided with SSO. These are typically the input fields where the user gives his/her credentials. |
Expand |
---|
title | Update Inject_script |
---|
|
Update the inject form script to introduce the script configured above (in the inject_script filter) in the correct position in the HTML. In
|
...
Digital Access Admin, click Browse. Navigate to access-point/custom-files/scripts. Edit inject_script.wascr. Code Block |
---|
[root]
STRING="</body>";def
ACTION=del("7"),ins("<script>"),ins(script), ins("</script></body>");0
TRANS=root;root |
Find a place in the HTML to inject the script with correct syntax and without modifying functionality. This might not be trivial and sometimes changes to existing scripts may be needed. The above approach should however work in most conditions (find the end body tag and insert it just before the end).
The language above is called wascr and is somewhat complex. Basically the above script will do the following: |
...
Digital Access Admin, go to Manage Resource Access. Click Web Resources. Mark the web resource and click Edit Resource Host... Check Enable Single Sign-On. Select Script as Single Sign-On Type. Select SSO Domain. Click Save and then Publish.
|
Related information
...
Script files