Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Single sign-on script in Digital Access

Owned by Ann Base (Deactivated)
Last updated: Jan 30, 2024 by Josefin Klang (Deactivated)
4 min read

This article describes how to use a single sign-on script in Smart ID Digital Access component. As web sites grow more and more resistant to automation, you might need to use a script, to make single sign-on (SSO) function as intended.

This implementation is not able to pick up and act on invalid SSO data. This means that if the password for a user in the target system has been changed, it will not be learned automatically by Digital Access, as with other SSO types, for example, Formbased and Adaptive.

The method works by intercepting the request from the login form submit and replacing dummy values with real SSO data, when the Access Point passes the request on to the internal resource. In order to make this work, a Java script is inserted in the web page using the WASCR technique.

  1. Log in to Digital Access Admin with an administrator account.

  1. In Digital Access Admin, click Browse.

  2. Upload the provided files (without changing the file names) to access-point/custom-files/scripts

  1. In Digital Access Admin, go to Manage Resource Access.

  2. Click Global Resource Settings.

  3. Go to the Filters tab and click Add Filter...

  4. Add these three filters and configure them as follows:

    • sso_set_username



    • sso_set_password



    • Inject_script

      For help, click the ?-sign.

Information about the filters

This table gives information about the filters:

sso_set_username

This filter picks up a dummy-string, in this case: secret_username, and replaces it with the correct sso username in the request from the user to the internal server. This is a server side operation only so the username will never reach the end user or traverse to the client.

sso_set_password

This filter picks up a dummy-string, in this case: secret_password, and replaces it with the correct sso password in the request from the user to the internal server. This is a server side operation only so the password will never reach the end user or traverse to the client.

Inject_script

This filter injects a script in the login form web page that will prefill the values of the login form controls with the dummy strings secret_username and secret_password and auto-submit the form.

Regarding the path

The path should be the target of the post, that is, what the form is configured to post its reply to. No web service is equal to another and sometimes this might not be a possible approach. The web page may post back to itself for example. So if a path can not be used, for whatever reason, use a * as path. This means that all requests will be inspected. In that case it is better to replace the dummy strings with something that will not under any circumstances be posted, to make sure not to replace other values. It could, for example, be that the web service actually has a reference to the string secret_username and in that case secret_username should be replaced with something random. For example, replace secret_username with hag_secret_username_lesuhfow8h2. The scripts must be edited accordingly. In the case of problems or questions contact Nexus Technical Support.

Regarding the script variable in Inject_script

The getElementById function calls are searching for the form fields Password, Username and LoginButton in the HTML of the login form. These are most likely named differently in other systems and must be updated accordingly by inspecting the HTML of the login form of the system that should be provided with SSO. These are typically the input fields where the user gives his/her credentials.

Update the inject form script to introduce the script configured above (in the inject_script filter) in the correct position in the HTML.

  1. In Digital Access Admin, click Browse.

  2. Navigate to access-point/custom-files/scripts.

  3. Edit inject_script.wascr.

    [root] STRING="</body>";def ACTION=del("7"),ins("<script>"),ins(script), ins("</script></body>");0 TRANS=root;root

  4. Find a place in the HTML to inject the script with correct syntax and without modifying functionality. This might not be trivial and sometimes changes to existing scripts may be needed. The above approach should however work in most conditions (find the end body tag and insert it just before the end).

The language above is called wascr and is somewhat complex. Basically the above script will do the following:

  • Search for the string </body> in the html file.

  • Delete 7 characters.

  • Insert "<script>"

  • Insert what is contained in the script variable (configured in the filter screen above)

  • Insert "</script>"

  • Insert "</body>"

Related information

Script files

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions