IBM Security Access Manager (ISAM, TAM, WebSEAL) - FORM SSO with MS-Exchange OWA

Form Single Sign On with Microsoft Exchange Outlook Web Access (OWA) using GSO

In this post, I am describing the configuration that can be helpful in performing Form Single Sign-On (FSSO) with OWA using GSO Credentials.

Following FSSO configuration parameters for are required by WebSEAL, to identify the login form and also define the configuration that will enable SSO. Save the following stanzas in a .conf file (like owa.conf)

[forms-sso-login-pages]

login-page-stanza = webmail

[webmail]

login-page = /owa/auth/logon.aspx\?replaceCurrent=*

login-form-name = logonForm

gso-resource = <Name_Of_GSO_Resource>

argument-stanza = Argument

login-form-action = /owa/auth.owa

[Argument]

destination = string:https://webmail.blogspot.com/owa

flags = string:4

forcedownlevel = string:0

username = gso:username

password = gso:password

passwordText = string:

isUtf8 = string:1

After copying contents in owa.conf file, save the file on the WebSEAL server. It is important to understand what type of junction is to be created for owa. Consider the requirement and environment to choose from the following options:

<![if !supportLists]>1.       <![endif]>Transparent standard host junction.

<![if !supportLists]>2.       <![endif]>Virtual host junction.

Transparent Standard host junction

A Transparent junction means that the name of the junctions as well as the context root of the application will be exactly same, like /owa.

A standard host junction means that the application can be accessed with name that is configured/published for webseal, and there is no restriction of hostname for the application. In other words the all standard host junctions can be accessed with a common name.

But In case of OWA, the application can be configured to use a virtual hostname. This means that you have to communicate to OWA server using specific hostname, if so is the case than in the above configuration (the destination parameter) as well as the in junction creation command (-v <virtual hostname>) highlighted above in red specify the desired virtual hostname.

Command to be used

server task <server_name> create –t <ssl/tcp> –h <hostname or IP Address of the Exchange server> –p <portname> –x –S <path_to_owa.conf> -v <virtual hostname> /owa

e.g.:

server task localhost-webseal-default create –t ssl –h 10.10.10.10 –p 443 –x –S /opt/pdweb/etc/owa.conf –v webmail.blogspot.com /owa

If you wish to add one more server to the junction,

server task localhost-webseal-default add –h 10.10.10.11 –p 443 –v webmail.blogspot.com /owa

Where,

–x is for transparent path junction

-S Form SSO configuration file

-v for virtual hostname for the server of the junction

If required you can use –s option to define a stateful junction when multiple servers are required to be added to the same junction.

Virtual host junction

To use virtual host junctions or standard host junctions is totally up to business requirement of the customer. But if the requirements say that only virtual host junctions are to be used for OWA, the here is what you need to perform.

Command to be used

server task <server_name> virtualhost create –t <ssl/tcp> –h <hostname or IP Address of the Exchange server> –p <portname> –S <path_to_owa.conf> -v <virtual hostname> webmail

e.g.:

server task localhost-webseal-default create –t ssl –h 10.10.10.10 –p 443 –x –S /opt/pdweb/etc/owa.conf –v webmail.mycompany.com /owa

If you wish to add one more server to the junction,

server task localhost-webseal-default virtualhost add –h 10.10.10.11 –p 443 –v webmail.mycompany.com webmail

Note: - If you are creating a SSL junction (regardless it’s a standard host or a virtual host junction), you must import the root certificate of the CA, which is used to sign the certificate issued for OWA. Click here to see how to add certificate of backend server in WebSEAL key database

In some cases, you might be required to add a cookie for this SSO to work. The name of the cookie is PBack and required value for this cookie is 0. Something like this.

document.cookie = "PBack=0; Path=/owa;";

This script can be added on the page which is followed after login to WebSEAL succeeds.