Evade single sign-on

Featured image

Everyone is familiar with the single sign on (SSO) principle (assumption, yes, I know). You log in to your machine and are authenticated. Now when you log in to a subsequent application (regular or web-based) single sign on functionality (if the application in question supports it) provides the credentials of your desktop session automatically to the application. This ensures a smooth experience for the user and a higher level of productivity.

How is this applicable to IT Store?

As you know the IT Store frontend (RES IT Store Web Portal component) runs on Internet Information Services (IIS). When a user opens the frontend it will perform a SSO if the client machine runs Windows (If using Android, OS X, iOS, Linux, etc. it won’t). It will log in to the IT Store with the same credentials as the ones you used to log in to your desktop.
Since the IT Store also has a very neat looking login page (one that you can customize very easily to include your own company logo and colors) it’s strange that they would force this kind of login for everyone.

Screenshot 1

So how does this work when you are logging in from a standalone device (e.g. private machine at home or a Bring Your Own device), or when you would like to perform a password reset through the IT Store, or when you are at an internet café and want to enable international roaming for your company phone through IT Store (great idea for a IT Store service BTW ;-)).
In these cases you definitely don’t want the IT Store performing a SSO since they will fail. What the IT Store (or actually the browser) will do is present a pop-up in which it asks for credentials. In this pop-up you can input your credentials and it will log in to IT Store for you.

Screenshot 2

However, in my experience, this doesn’t always work as smoothly as it should. And what about when you want to reset your password? Then you really need the IT Store native login screen to perform the reset.
Sure, you can cancel the pop-up, get the 401 – not authorized error and press refresh (this will redirect you to the native login page) but this is not exactly user friendly.

So how can you circumvent this? Sadly, you can’t disable SSO altogether without breaking the IT Store frontend (if you do know how, please let me know). And I wouldn’t recommended it if you could for the sake of the internal users. There is however a workaround.
This involves altering the URL that the users use to access the IT Store or you could implement a redirect in IIS.

Mind you, I’m not saying that this is the solution for your IT Store. I’m just trying to make you aware of the possibility.

Altering the URL:
Add /Auth/FormsLogon to the URL (e.g. http://res1.local.lan/Auth/FormsLogon). If bookmarks, favorites or shortcuts are provided to the user by a desktop management tool of some sort, then this would be easy to implement.

However, for the external or BYO users you might not want to give them such an elaborate URL. So in these cases you might to implement a redirect of some sort in the IIS configuration.

IIS HTTP redirect:
To do this, perform the following actions:
– Make sure the HTTP Redirection feature is added to your IIS installation (through Server Manager)

Screenshot 3

– Open the Internet Information Service Manager and select the IT Store website
– Choose the option HTTP Redirect in the IIS section

Screenshot 4

– Select the option Redirect requests to this destination
– Input the redirection URL (http(s)://res1.local.lan/Auth/FormsLogon)

Screenshot 5

– Select the option Only redirect requests to content in this directory (not subdirectories)
– Press Apply

From now on, every user that opens the IT Store will be redirected. So the internal users will now also ‘evade’ the single sign on.

What you would really want in this case is to have a single sign on for all internal users on company machines and present the logon page to the external and BYO users.
There are several ways to make this work. I’m not going to write a HOWTO for this since there are a lot of ways to accomplish this. However, I will give you two options:

– Publish IT Store through Citrix NetScaler with multiple expressions that differentiate between internal and external machines/IP’s (possible even on a NetScaler VPX with the free Express license!)
– Use the URL rewrite extension for IIS with the {REMOTE_ADDR} condition (or whichever condition suits your needs)

Of course there are more options, but I’m not experienced enough in web development to provide with all the in’s and out’s for each option.

Take a while to think about what is the best (and safest) option for your IT Store. What kind of devices do your users have? From where do they work? What kind of services do they need to access in the IT Store? Etc.
Just plan ahead and you will be OK.

Thanks for reading and till next time.

Disclaimer: This blogpost makes the assumption that your IT Store can be accessed from non-company devices and maybe even through the internet. Since there isn’t much known yet about how secure the IT Store is, I would recommended to use some kind of SSL VPN or SSL offload solution to connect to the IT Store.
I would also strongly advise configuring a SSL certificate on the IT Store website to encrypt the traffic. You are then able to access the IT Store through HTTPS.

Edit March 17th, 2015:
In some instances organisations will use Citrix NetScaler as a load balancer and reverse proxy to publish websites to the internet. This is pretty good practice in my opinion (although a DMZ for these kind of web servers is still advised). However, the previously proposed ‘evade single sign-on’ solution will not work in this case.

The following script will create rewrite policies on your NetScaler that will solve the single sign-on issue:

add rewrite action name-of-rewrite-action replace HTTP.REQ.URL "\"/auth/formslogon\""

add rewrite policy name-of-rewrite-policy "HTTP.REQ.URL.ENDSWITH(\"/\")" name-of-rewrite-action
add rewrite policy name-of-no-rewrite-policy "HTTP.REQ.COOKIE.EXISTS && HTTP.REQ.URL.ENDSWITH(\"/\")" NOREWRITE

bind lb vserver loadbalancing-virtual-server -policyName name-of-no-rewrite-policy -priority 90 -gotoPriorityExpression END -type REQUEST
bind lb vserver loadbalancing-virtual-server -policyName name-of-rewrite-policy -priority 110 -gotoPriorityExpression END -type REQUEST

Optional (if using a HTTP-HTTPS redirect):

bind lb vserver loadbalancing-virtual-server-redirect -policyName name-of-no-rewrite-policy -priority 90 -gotoPriorityExpression END -type REQUEST
bind lb vserver loadbalancing-virtual-server-redirect -policyName name-of-rewrite-policy -priority 100 -gotoPriorityExpression END -type REQUEST

Make sure you replace the parts in italic with names to your or your company’s naming scheme liking.
What this rewrite does is redirect you to the /auth/FormsLogon sub-folder and removes the redirect/rewrite for when a cookie will be used.

Thanks to Jaco van den Berg and Rink Spies for engineering this solution.

Leave a Reply

Your email address will not be published. Required fields are marked *