ASA WebVPN SSO with cactus
Hello
I use SSO with HTTP POST parameters for SINGLE sign-on for web applications behind my ASA.
I am currently playing with cactus.
My settings are:
action = login
login_username = CSCO_WEBVPN_USERNAME
login_password = CSCO_WEBVPN_PASSWORD
Realm = ldap
The connection works fine, but after the post OFFICE, the Web server sends a HTTP "302 OK code." Normally, it should be "302 moved" or "200 OK".
The ASA does not include what to do, to do nothing and replies with an error "Server
When I press the 'Home' button and click again on the bookmark of cactus, I'm connected to cactus. It seems that there is a cookie or something missing. When I do exactly the same with a browser, it sends after the "302 OK" normal GET and I am connected. Me seems a mistake in cactus, but I'm not also sure if ASA does not respond properly? Also, when I change the type of bookmark of https to post, it works! BUT: post plugin only supports http and not https, so my connections has send in clear on the internal network. Any ideas? Thank you MB Tags: Cisco Security ASA WebVPN with SSO on OWA 2010 Exchange Hello, I was using WebVPN (clientless) with SSO on Exchange OWA 2003 and it worked very well with these UNIQUE POST authentication settings: URL: / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Tabla normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;} https://
destination https://
user domain\\user name / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Tabla normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;} CSCO_WEBVPN_USERNAME password / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Tabla normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;} CSCO_WEBVPN_PASSWORD / * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabla normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;} SubmitCreds Log + we forcedownlevel 0 trust 0 Now, I'm trying to do the same thing with OWA 2010 and it doesn't work. I always get an error on the user credentials For Exchange 2010, I use these settings: URL: https://
https://
username DOMAIN\CSCO_WEBVPN_USERNAME password CSCO_WEBVPN_PASSWORD SubmitCreds Log + we forcedownlevel 0 trust 0 Anyone know how to fix? Any help? Thank you In this configuration, I had to change to HTTP (associated client). It also works well on HTTPS. Download this tool http://www.fiddler2.com/fiddler2/.
post parameter: destination: http://internal-mail-server-ip/owa/ flags: 0 forcedownlevel: 0 Trust: 0 username: CSCO_WEBVPN_USERNAME password: CSCO_WEBVPN_PASSWORD isUtf8: 1 http://internal-mail-server-ip/owa/auth/owaauth.dll]] > http://internal-mail-server-IP/OWA/ 0 0 0 CSCO_WEBVPN_USERNAME
CSCO_WEBVPN_PASSWORD 1 Welcome, Norbert Hope this helps... Please note so useful ASA 5555 X with power Module of fire and redirect URL to WSA My question is related to the flow of traffic with an ASA 5555 X with the power of fire services module and a WCCP redirect a device of the WSA. I think that the traffic flow should occur such as: Traffic http--> ASA--> FP IPS--> WCCP in the WSA Proxy--> (Internet cloud) In this way the IPS could identify all customers before traffic hits the Proxy of the WSA. So the question is, is the policy of Service on the SAA get processed before the WCCP redirect? Is - this configurable? Or the ASA deals the WCCP redirect before the Service policy routing traffic through the ASA? Y at - it guides that go into the details of this scenario? Thank you David David, There is no plan to join WSA ASA/power of fire or FTD. Each has strengths and treats the customers with different requirements. WSA like you know offer customization deep and rich reports or web filtering. However, it is limited to http/80 and https/443. Firepower is an easy solution if you already use it for NGIPS and/or Malware protection. It lacks some of the features of the ASO reporting (although FMC can be highly customized if you dig deep). There are also OpenDNS to consider whether it's capabilities are calls for you. Communication between subinterface on ASA 5515 X with version 9.1. Hello I have an ASA 5515 - X with version 9.1. I created 5 secondary interfaces in my 0/1, with different subnets while the firewall is the front door of my user. 0/0 - outside - WAN 0/1.1 - inside16 - 172.16.16.1/23 172.16.30.1/24 - inside30 - 0/1.2 0/1.3 - inside33 - 172.16.33.1/24 0/1.4 - inside40 - 172.16.40.1/24 172.16.128.1/24 - inside128 - 0/1.5 0/2 - test - 10.10.10.1/24 10.x/24 network my internet works fine. But, while this does not work for my secondary interfaces. They communicate with themselves. When I try to trace a package. I've been out below attached. Please suggest. Kind regards Emilie You use the (necessary) command: permit same-security-traffic inter-interface SSO with Cloud-based deployments hybrid Hello I m wondering, how SSO works with the Hybrid Cloud-Based deployments. I want to use Jabber for Windows with WebEx Connect and unified with Cisco WebEx Communications integration. Issues related to the: Any thoughts? Thank you Tino Hi Tino, You can use the command line arguments to specify the SSO with WebEx presence server. There is no real soloution SSO at present for hybrid mode (CUCM, unit Cxn). See the answer online for other issues. >> Fix >> Attribute 'PhoneService_UseCredentialsFrom' can only be used in the deployment prem No.. Check the section plan for authentication of the administration of Jabber for Windows for more information guide. Thank you Ménard implementation of SSO with r12 Hello Experts, I must apply sso with our installation r12. the details are: Operating system: HP-UX Itanium EBS: 12.1.3 DB: 11.2.0.2 Next Note: Integration Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On [376811.1 ID] According to the note, need to install 10 g AS (10.1.4.0.1) can it go to 10.1.4.0.3 I am facing problem to download s/w for 10g As. http://www.Oracle.com/technetwork/middleware/IAS/downloads/101401-099957.html but not able to understand which I take download to do the first installation. (10.1.4.0.1) Please suggest. Thanks in ADV! Hello The issue is discussed previously and answered in the forum, please visit: https://forums.Oracle.com/message/10403374 HTH! Thank you & Best regards OBIEE 11.1.1.6 SSO with OAM 11.1.1.5: problem of attribute OID 11.1.1.6 Hello Joseph,. This is a known issue in OBIEE 11.1.1.6.0, please see: OBIEE 11.1.1.6 Agent failed with error code: IHVF6OM7:OPR4ONWY:U9IM8TAC [nQSError: 13039] the imposter does not exist in the BI [1446877.1 ID] Security Service We have configured OBIEE 11.1.1.6 on Linux and use Single Sign On (SSO) with authentication Native for Windows (Ondaaah). Configured authenticator AD, select sAMAccountName instead of CN for the attribute of the user. SSO in MS license. When you try to access the OBIEE presentation services we met the below error. «You are not logged here: Oracle BI Server.» When to check the logfile biserver1 found: failure of the Assertion of identity [Security: 090300]: user OracleSystemUser does not exist After you apply the hotfix 13553428 on top of 11.1.1.6.0 OBIEE we connected in OBIEE presentation services. It works very well with OBIEE, 11.1.1.5.0 and 11.1.1.6.1 OBIEE fixed in 11.1.1.6.1. Apply Patch 13742915. If you want to stay in OBIEE 11.1.1.6.0. Apply Patch 13553428. Let me know if this solves the problem of Asserter. Pls mark so useful or response. Thank you Salvation; If you have doupt that its go with sr. But if you follow google and if you hit error and if you mention your steps which is not covered in metalink with that you may have a support problem Respect of Yes, as long as you're not on the v.3 version where the roles session variable cannot be initialized the. If you're on v.5, Yes, it's quite possible. Software needed to achieve SSO with Webcenter Suite 11.1.1.2 Using these business applications with WebCenter spaces? If you start a new project, why don't you use WebCenter 11 G PS3 or PS4 because there are a number of new features? Also the Oracle Access Manager (OAM) is the recommended method to achieve the goal of SSO. Although Oracle SSO (OSSO) is the main solution for Oracle 10 G Infrastructure but Weblogic also support OSSO. Anyway, if you want to use Oracle SSO (OSSO) in WebCenter 11.1.1.2, you need after 2 software: -. 1 oracle HTTP Server (OHS) You can find the configuration details in http://download.oracle.com/docs/cd/E15523_01/webcenter.1111/e12405/wcadm_security.htm#BGBDADFE. You don't need additional software for E-business Suite as well. Yes, it's ok to have multiple keys in a JKS file. We can refer to the required private key by using the alias name, which is the use of the alias here. Let's do simple. In credentials for the Mapper to configure the following: and configure the Federation Service: Now my question is, I want a combination of scenario 1 and scenario 2. I want OBIEE SSO with Active directory and the groups in the external table. I don't have what is your question? Just do SSO with AD, and then load the groups in the GROUP through SQL init block. What is your real problem? To filter the report data, you must have the same structure of Group at Web cat I guess (correct me if I'm wrong). Yes, even if you do not need to use the same workgroup name. Is MNI names I'd rather have completely separate groups, some for safety to the RPD for Web security catalog. As long as the groups exist in the appropriate location (RPD or Web catalog) and they are assigned in the block GROUP init then OBIEE will be happy, they do not need to exist in both places. (2) No SSO will fill the Remote_User variable rather than the default USER variable. No, you say OBIEE where to put the REMOTE_USER value. "You can simply select ': USER"FROM DUAL or if you have your users defined in a table, you can also authenticate the user exist in this table, SELECT": 'FROM USER_TABLE WHERE USER_ID =' USER: USER" which adds another layer of authentication to your SSO solution. SSO with WebVPN ASA using RSA tokens Current configuration: Chip & PIN the user authenticates for-> ASA5510 8.2 Clientless VPN-> past to the 7.2 SDI RSA Authentication Manager. I've got of authentication works great, at the first connection, users can connect with their AD usernames and RSA tokens and generate his pin code. We used to use ACS express and their advertising information for vpn authentication, but now we have to two factors of authentication. Is it possible to some how to maintain SSO so that when the user authenticates via its RSA token they can always browse through OWA, Sharepoint, CIFS (file share) without having to enter their credentials for the AD? Any help or information is much appreciated. Thank you You can activate the field "internal password" on the customization of WebVPN and also re-name-the ("Password AD" for example) and then configure the entries in the auto-code of access for internal URLS on NTLM. Such that when the guest servers the WebVPN session will send the user name used to connect to the ASA but send the internal password captured during the connection instead of the password used to connect to the WebVPN himself. The only problem I saw during the test, there is no seam to be a graceful way to establishing a password incorrect or missing, then NTLM would fail and fall back basic over ssl. Finally it would block the AD accounts based on URL how much the user has tried when the password entered when the connection is bad or missing (because it failed to connect to the WebVPN). Between Cisco ASA VPN tunnels with VLAN + hairpin. I have two Cisco ASA (5520 and 5505) both with version 9.1 (7) with Over VPN and Security Plus licenses. I try to understand all the internet a traffic tunnel strategy VLAN especially on the 5520 above the 5505 for further routing to the internet (such as a hair/u-turn hairpin). A few warnings: Let me know if I need to post my current config. Basically, I'm starting from scratch after several attempts. Thank you! You can use the following doc to set up the VPN and then this document to configure Hairping/U tuning 2. the 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site). Make sure that the interface is connected to a switch so that it remains all the TIME. 3. 5520 the may not be a ezvpn customer due to she has current as one role anyconnect webvpn ()) server. You can use dynamic VPN with normal static rather EZVPN tunnel. Kind regards PS Please rate helpful messages. Homepage default value ASA WebVPN (8.03) howto Hello I sent an Asa 5505 (8.0.3) with webvpn. When I was able to connect the device via the web, I get on the personalized homepage. But it goes directly to "Anyconnect" instead of the "Home" page How can I change this? I think it's something simple, but I can't find it! See the screenshot for more details. Thnx! Check if the policy called is the right. The following link can help you http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/WebVPN.html GameCenter does not work on iOS 9.2 Hey community,. Today, I downloaded an application needs (I think) gamecenter to start. (Btw: it's Angry Birds 2) The application has stopped loading to "connecting...". » I checked the app on the home screen: freeze checked the app settings: freeze Z510 "Default Boot Device missing or initialization failed" after BIOS update Hello I get the error in the title, after that I tried flashing the BIOS for the Z510 was last updated. I can press ok and then enter in the Boot Manager, but I can't choose anything here. also, I can't boot from a disc with for example XP on it. I a I was able to do before. This just started a few weeks ago. Thank you! Hello? My system is using a double buffering based code and I have to use them. I tested a stand-alone DAQmx program on a double buffering technique, and it works quite fine with my system. Since I am not only writing my code c ++ system for years 19 WINDOWS 7 HOME PREMIUM - PROBLEMS PLAY RPG Hello guys - I'm a girl, so please bear with my tiny no mind technique. I like RPG and download them on Aldorlea and Blossomsoft to name a few. Have Windows 7 now and whenever I try to play the games I get a black screen to the icon (I can hear theconfigure the POST plugin for HTTPS by using the csco_proto=https parameter
in the Post-Plugin URLSimilar Questions
Flags 0
Flags 0
Someone at - it work?
destination
flags
forcedownlevel
Trust
username
password
isUtf8
I configured an OAM (webgate) + DIO + OBIEE + OHS system.
The OBIEE is protected via OHS(weblogic module) and webgate. It works very well.
The CAO authenticates OID (default user identity store).
The * "User research Base" * is the same (* "cn = Users, dc is mydomain, dc = com" *) in the store of identity and authentication provider OID of OBIEE too.
SSO is enabled in OBIEE and suppliers are:
OID (provider that performs authentication LDAP 1.0) JUST
REQUIRED OAM (Oracle Access Manager identity Asserter 1.0) provider
DefaultAuthenticator (WebLogic Authentication Provider 1.0) SUFFICIENT
DefaultIdentityAsserter
IF the * "User name attribute" * is * '' cn '' * in-store OAM of identity of the users and the provider of the OID of the OBIEE * "user name attribute" * is * "cn" * (by default) also, everything works fine.
But I have to use * "orclSAMAccountName" * instead of * "cn" * (OAM and OID provider). And in this case, I have the problem.
The OID of the OBIEE provider are:
All users filter: (& (orclSAMAccountName = *)(objectclass=person))
The user of the name filter: (&(orclSAMAccountName=%u)(objectclass=person)))
Username attribute: orclSAMAccountName
I did a test user:
CN = test
SN = test_sn
orclsamaccountname = test_sama
UID = test_uid
krbprincipalname = test_krb
I can authenticate with test_sama OAM, but OBIEE say: * "" you are not logged here: Oracle BI Server. "*"
The bi log shows that:
+ By default (self-adjusting)' > < BISystemUser > <>< 00093dFuR ^ HFW7PMye7i6G00052S000Tt7 > < 1345642607333 > < BEA-000000 > < javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: identity [Security: 090300] Assertion failure: test user does not exist +.
+ oracle.security.jps.internal.api.jaas.AssertionException: javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: [Security: 090300] identity Assertion failure: test user does not exist.
Why does search OBIEE the * '' cn '' * and why does not use the * "orclsamaccountname?"
Any idea?
Best regards, Jani
SVS-
execution of 11.5.10.2 with 10.2.0.4 db multi-user.
intalled 10g as another break with the OID/SSO.
application server 10.1.2.0.2
DB server: 10.1.0.4
need to integrate SSO with ebs
following mos 233436.1
has confused with authentication UNIQUE task 2, step 5: run the registration script
as this mos says that:
A perl script is used to register the instance of Oracle E-Business Suite Oracle Internet Directory and Oracle Single Sign-On
txkrun.pl - script = SetSSOReg.
-provtmp = $FND_TOP/admin/template / < TemplName >
and a lot of google search wrote 3 steps:
-Registration of oracle home
$FND_TOP/bin/txkrun.pl-script = SetSSOReg - registerinstance = yes
-SSO registration
$FND_TOP/bin/txkrun.pl-script = SetSSOReg - registersso = yes
-Record OID
$FND_TOP/bin/txkrun.pl-script = SetSSOReg - registeroid = yes
What is the good?
If both are right, then how decide what trake should I take?
Please suggest!
HELIOS
Has anyone use SSO with OBIEE? We have restricted MSAD/Windows with OBIEE SSO.
Let us know that it is possible to do with the authentication of the RPD?
Thank you!
I installed Web center suite 11.1.1.2 on my Machine. Can someone suggest, what software I need to install in order to achieve
Oracle SSO with E-Business Suite and OBIEE.
Concerning
Nanfack marzolf
Published by: user11965597 on 15 Sep 2011 03:58
2 oracle Internet Directory (OID)
I train like in http://www.oracle.com/technology/pub/articles/dev2arch/2006/12/sso-with-saml4.html
But I get the following exception when I configure the Federation Service. I saw the same problem in the SAML in Weblogic 10.3 configuration , but when I try the same thing, I still have the same error.
< 4 June 2010 11:35:02 SGT > < error > < Console > < BEA-240003 > < Console met the following error weblogic.managemen
t.provider.UpdateException: [management: 141191] the phase of preparation of the configuration update failed with an exception:
at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.prepare (RuntimeAccessDeploymentR
eceiverService.java:283)
to weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback (Deploymen
tReceiverCallbackDeliverer.java:157)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.prepare (DeploymentReceiverC
allbackDeliverer.java:40)
at weblogic.deploy.service.internal.statemachines.targetserver.AwaitingContextUpdateCompletion.callDeploymentRec
eivers(AwaitingContextUpdateCompletion.Java:164)
at weblogic.deploy.service.internal.statemachines.targetserver.AwaitingContextUpdateCompletion.handleContextUpda
teSuccess(AwaitingContextUpdateCompletion.java:66)
to weblogic.deploy.service.internal.statemachines.targetserver.AwaitingContextUpdateCompletion.contextUpdated (Aw
aitingContextUpdateCompletion.java:32)
at weblogic.deploy.service.internal.targetserver.TargetDeploymentService.notifyContextUpdated (TargetDeploymentSe
service. Java:225)
to weblogic.deploy.service.internal.DeploymentService$ 1.run(DeploymentService.java:189)
to weblogic.work.SelfTuningWorkManagerImpl$ WorkAdapterImpl.run (SelfTuningWorkManagerImpl.java:516)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused by: weblogic.descriptor.BeanUpdateRejectedException: SAMLBeanUpdateListener SAMLSingleSignOnServiceConfigInfoImpl
: prepareUpdate() failed with exception: weblogic.security.spi.ProviderInitializationException: F.a [Security: 097558]
ionServicesMBean configuration testalias the protocol signing key is not valid.
at weblogic.security.providers.saml.SAMLBeanUpdateListener.prepareUpdate(SAMLBeanUpdateListener.java:84)
to weblogic.descriptor.internal.DescriptorImpl$ Update.prepare (DescriptorImpl.java:481)
at weblogic.descriptor.internal.DescriptorImpl.prepareUpdateDiff(DescriptorImpl.java:195)
at weblogic.descriptor.internal.DescriptorImpl.prepareUpdate(DescriptorImpl.java:174)
at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.prepare (RuntimeAccessDeploymentR
eceiverService.java:269)
>
You can try to use the default for SAML, for what we can do is to leave the SSL and the default keystore. In this secnario you Server are configured to use:
DemoIdentity.jks as the keystore.
DemoIdentity as an alias for the private key.
DemoIdentityPassPhrase the password for the private key.
alias: DemoIdentity
signing key password: DemoIdentityPassPhrase
alias: DemoIdentity
(1) I have configured instance SSO with windows Active Directory and OBIEE.
(2) I also have another instance (without configured SSO) with table external authentication (verification of name and password of the user) and authorization (groups, that populate the session for the filtering of data variables).
Now my question is, I want a combination of scenario 1 and scenario 2. I want OBIEE SSO with Active directory
and the groups in the external table.
The reason being, my groups are custom in the outer table groups, I do not want to keep users in the repository.
can you please give me some pointers if the scenario is possible. Thanks in advance
Thanks and greetings
Satya
Dinesh MoudgilMaybe you are looking for