|By Madan Ranganath and Marina Sum, September 5, 2007; updated: October 1, 2007|
In Part 1 of this series, you saw how to extend authentication with Sun Java System Access Manager (henceforth, Access Manager) with Policy Agents. In Part 2, you learned how to integrate Microsoft SharePoint Portal Server with Access Manager for SSO.
Part 3 continues the integration story for SSO, this time with Microsoft Outlook Web Access (henceforth, OWA) and Access Manager. Afterward, once users have authenticated with Access Manager, they canwithout having to log in againperform email tasks in their Inbox in OWA.Contents
|-||Authentication for OWA|
|-||Deployment of Policy Agent for OWA|
|-||Installation and Configuration|
|-||Appendix A: Procedure for Configuring Earlier Access Manager Releases and Access Manager 7.1|
|-||Appendix B: Procedure for Obtaining the Cookie Domain Name|
In an OWA deployment, you can configure in the Microsoft Internet Information Services (IIS) Administration Console any authentication mechanism supported by IIS. The authentication choices are Basic, Digest, Windows Integrated, and Anonymous. The current OWA Agent supports basic authentication only. For tighter security, you can configure basic authentication with Secure Sockets Layer (SSL). Basic authentication is supported by most Web browsers.
Figure 1 shows the Authentication Methods dialog box in the IIS Administration Console. Just select "Basic authentication (password is sent in clear text)" and click OK.
In the absence of the OWA Agent, when you access OWA at
/exchange, the OWA login screen is displayed. See Figure 2.
After successful authentication, OWA displays the
user1 Inbox. Figure 3 is an example.
The OWA Agent enables SSO for OWA with all the applications configured in Access Manager. When a user accesses OWA, its Agent displays an Access Manager login screen. Once authenticated, the user can access all the applications that are secured by Access Manager.
To deploy the OWA Agent, first configure a post-authorization plug-in,
ReplayPasswd, with Access Manager (see the next section). An encryption key is shared between Access Manager and the OWA Agent.
Here is what transpires behind the scenes:
ReplayPasswdencrypts the password with the shared key and stores the encrypted data in the Access Manager session, whose ID is then set in a special cookie in the form of an SSO Token ID.
You must synchronize the user passwords in the Access Manager data store with those of OWA for Exchange Server. If the OWA user accounts are stored in Active Directory, you can configure Access Manager to use the same Active Directory as the data store and avoid having to synchronize passwords in two different LDAP servers.
Before installing the OWA Agent, first configure Access Manager.
Configuring Access Manager
Important: Be sure to install Java 2 Platform, Standard Edition (J2SE platform) 1.4 or a later version.
Included in Access Manager 7.0 Patch 5 onward, except Access Manager 7.1, are
ReplayPasswd.java, a plug-in, and
DESGenKey.java, a key generator.
Note: For the procedure on how to configure the plug-in in earlier patches and generate the shared key, see Appendix A.
ReplayPasswd.class as a post-authorization plug-in, follow steps 1-5 below.
Next, generate and add the shared key and the LDAP attribute to the
/opt/SUNWam/libby default) and execute
DESGenKey. Type (all on one line):
# java -classpath /opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ am_sdk.jar:/opt/SUNWam/lib/servlet.jar com.sun.identity.common.DESGenKey
Key ==> bTGKXVs3WEk=
com.sun.am.replaypasswd.keyproperty in the
com.sun.am.replaypasswd.key = bTGKXVs3WEk=
com.sun.am.iis_owa_enabled = true
Installing and Configuring the OWA Agent
First, install and configure the OWA Agent by following steps 1-7 in the section Installing and Configuring the SharePoint Agent in Part 2 of this series.
Creating a Timeout Page for Local Idle Sessions
Next, create a timeout page for local idle sessions:
444and then define the site's port number as
C:\Inetpub\testwith the following content.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <% redirectvalue = Request.QueryString("owagoto") posn=inStr( redirectvalue, "owalogon.asp?url=" ) If(posn > 1) then str2 = Split(redirectvalue,"owalogon.asp?url=") str3 = Split(str2(1),"&reason") redirectvalue=str3(0) End If %> <meta http-equiv="Refresh" content="0;url=https:// <Access_Manager_hostname>:<Access_Manager_portnumber>/amserver/UI/ Login?goto=<%=redirectvalue%>"> </head> </html>
Modifying the Logoff Page
To ensure that logouts are handled correctly, update the logoff page (
logoff.asp) as follows:
logoff.aspwith the following:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <% Response.Cookies("owaAuthCookie").Domain = ".iplanet.com" Response.Cookies("owaAuthCookie").Path = "/" Response.Cookies("owaAuthCookie")= "owaValue" Response.Cookies("owaAuthCookie").Expires = "July 1, 1995" %> <meta http-equiv="Refresh" content="0;url= https:// <Access_Manager_hostname>:<Access_Manager_portnumber>/amserver/UI/Logout?goto =https%3A%2F%2F<OWA_hostname>%3A<OWA_portnumber>%2F"> </head> </html>
.iplanet.comwith the appropriate domain name for the cookies. See Appendix B for the procedure on how to obtain the domain name from the Access Manager Administration Console.
Finally, update the
AMAgent.properties file as follows:
com.sun.am.policy.agents.config.iis.owa_enabled = true
com.sun.am.policy.agents.config.iis.owa_enabled_session_timeout_url = https://OWA_hostname
To test the setup:
user1(see Figure 7) instead of the OWA login screen (as shown in Figure 2)a testament that SSO is in action.
For any release that is earlier than Access Manager 7.0 Patch 5 and for Access Manager 7.1,
DESGenKey.java are shipped separately. You must compile the two files and ensure that their class files are in Access Manager's
lib directory (
/opt/SUNWam/lib by default), as follows:
DESGenKey.javaby typing (all on one line):
# javac -classpathAccess_Manager_install_dir
/lib/servlet.jar ReplayPasswd.java DESGenkey.java
# javac -classpath /opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/am_sdk.jar:
/opt/SUNWam/lib/servlet.jar ReplayPasswd.java DESGenkey.java
libdirectory of the Access Manager installation and type:
# java DESGenKey
Note: On the Solaris and Linux platforms, the class files must reside in Access Manager's
lib directory; in Windows, in the
WEB-INF\classes subdirectory of Access Manager's
To obtain the name of the cookie domain:
Thanks to the OWA Agent, when multiple applicationsemail, calendar, and suchare all interacting with Access Manager, enabling SSO for them takes only a few steps. Try it out yourself!