Form Single Sign On with
Microsoft Exchange Outlook Web Access (OWA) using GSO
In this post, I am describing the
configuration that can be helpful in performing Form Single Sign-On (FSSO) with
OWA using GSO Credentials.
Following FSSO configuration
parameters for are required by WebSEAL, to identify
the login form and also define the configuration that will enable SSO. Save
the following stanzas in a .conf file
(like owa.conf)
[forms-sso-login-pages]
login-page-stanza = webmail
[webmail]
login-page = /owa/auth/logon.aspx\?replaceCurrent=*
login-form-name = logonForm
gso-resource = <Name_Of_GSO_Resource>
argument-stanza = Argument
login-form-action = /owa/auth.owa
[Argument]
destination = string:https://webmail.blogspot.com/owa
flags = string:4
forcedownlevel = string:0
username = gso:username
password = gso:password
passwordText = string:
isUtf8 = string:1
After copying contents in owa.conf file, save the file on the WebSEAL
server. It is important to understand what type of junction is to be created
for owa. Consider the requirement and environment to
choose from the following options:
<![if !supportLists]>1. <![endif]>Transparent
standard host junction.
<![if !supportLists]>2. <![endif]>Virtual
host junction.
Transparent Standard host
junction
A Transparent junction means that
the name of the junctions as well as the context root of the application will
be exactly same, like /owa.
A standard host junction means
that the application can be accessed with name that is configured/published for
webseal, and there is no restriction of hostname for
the application. In other words the all standard host junctions can be accessed
with a common name.
But In case of OWA, the
application can be configured to use a virtual hostname. This means that you have
to communicate to OWA server using specific hostname, if so is the case than in
the above configuration (the destination parameter) as well as the in junction
creation command (-v <virtual hostname>) highlighted above in red specify the desired virtual hostname.
Command to be used
server task
<server_name> create –t <ssl/tcp> –h <hostname or IP Address of the Exchange server>
–p <portname> –x –S <path_to_owa.conf> -v <virtual hostname>
/owa
e.g.:
server task localhost-webseal-default create –t
ssl –h 10.10.10.10 –p 443 –x –S /opt/pdweb/etc/owa.conf
–v webmail.blogspot.com /owa
If you wish to add one more
server to the junction,
server task localhost-webseal-default add –h 10.10.10.11
–p 443 –v webmail.blogspot.com /owa
Where,
–x is for transparent path junction
-S Form SSO configuration file
-v for virtual hostname for
the server of the junction
If required you can use –s option
to define a stateful junction when multiple servers
are required to be added to the same junction.
Virtual host junction
To use virtual host junctions or
standard host junctions is totally up to business requirement of the customer.
But if the requirements say that only virtual host junctions are to be used for
OWA, the here is what you need to perform.
Command to be used
server task
<server_name> virtualhost
create –t <ssl/tcp> –h
<hostname or IP Address of the Exchange server> –p <portname> –S <path_to_owa.conf>
-v <virtual hostname> webmail
e.g.:
server task localhost-webseal-default create –t
ssl –h 10.10.10.10 –p 443 –x –S /opt/pdweb/etc/owa.conf
–v webmail.mycompany.com /owa
If you wish to add one more
server to the junction,
server task localhost-webseal-default virtualhost add –h 10.10.10.11 –p 443 –v webmail.mycompany.com
webmail
Note: - If you are
creating a SSL junction (regardless it’s a standard host or a virtual host junction),
you must import the root certificate of the CA, which is used to sign the
certificate issued for OWA. Click here to see
how to add certificate of backend server in WebSEAL
key database
In some cases, you might be required to add a cookie for this SSO to work. The name of the cookie is PBack and required value for this cookie is 0. Something like this.
document.cookie = "PBack=0; Path=/owa;";
This script can be added on the page which is followed after login to WebSEAL succeeds.