How can I SSO enable web applications without the wizard?

  • 7940231
  • 19-Aug-2009
  • 16-Jan-2014

Environment

SecureLogin
SecureLogin SSO
All Versions

Situation

Question

How can I SSO enable web applications without the wizard?

Resolution

Answer

Note: The general rules and guidelines contained in this document apply to all web applications. All web sites are different so you may have to ""play around"" before finding the best solution. You can use the wizard to generate web scripts or add them manually using full or partial URL names (most organizations typically use partial URL names).

When you install SecureLogin, a number of components are installed, including the web SSO module IESSO.DLL (v3.5 and later or websso.dll for earlier versions) and the browser helper object. Assuming it is active and running (you can optionally disable web SSO), web applications trigger by searching for the specified application name (defined in SecureLogin) in the URL.

You can either add the application name as a full URL so the application definition will only trigger when the full URL exists in the address, or part of the URL so it triggers whenever the partial URL exists in the address.

For example, a web script added with the name ""yahoo"" would trigger the script for any URL with ""yahoo"" in the name. www.yahoo.com, mail.yahoo.com, mail.yahoo.co.uk would all run and check if logon (or some other process) is required.

If you specify a full URL such as mail.yahoo.com, SSO will only execute if the full URL (or URLs that contain that web address in the name) exists. Partial names are used to include all web site processes in one script.

Instead of writing separate definition for mail.yahoo.com/logon.htm, mail.yahoo.com/changepassword.htm and mail.yahoo.com/locked.htm, you should create an application definition named mail.yahoo that would handle everything. Any site with mail.yahoo in the URL would trigger SSO.

Once SecureLogin has read the URL and triggered, it reads text off the screen and checks if it matches any text in the definition. The following section reads the text and then provides an example for searching for strings.

#==============================================# 
# Invalid Password # # Prompt the user to verify it and retry logon # 
#==============================================# 
If -Text ""Invalid Password"" DisplayVariables ""The password for this User ID: is invalid. Please verify your password and try again."" $Password 
Type $Username #1 
Type $Password #2 
Submit
EndIf
#==============================================# 
# Invalid Password ## Prompt the user to verify it and retry logon # 
#==============================================# 
If -Text ""Login for access"" 
Type $Username #1

Type $Password #2

Submit

EndIf

Script Flow

Web application definitions flow from top to bottom. SecureLogin should only attempt logon if no errors exist on the page. If errors exist, they should be resolved before attempting or retrying logon. Scripting for all error messages should appear at the top of the application definition and logon should be at the bottom.

In the example above, on the Yahoo demo mail site, the text ""Login for access"" appears on the logon page so we can search for it to make sure we are at the logon page. However, if an invalid password is entered, an error message that the ""Invalid Password"" will appear on the same page as the text ""Login for access"". SecureLogin would be able to see both strings of text so the order is extremely important.

Whichever text appears higher in the script will execute first if both sets of text appear. If the search for the ""Login for access"" text for logon was at the top of the script, the script would see the text and keep trying to execute that part of the script without correcting the failed password.

However, if the error appears first, SecureLogin can be scripted to resolve the error before continuing. It would only try logon if no other text you specify, such as error messages or change password messages, appears on the web page.

Looping Scripts

Some sites ""loop"". For example, in some applications, if a user clicks logout, they are taken back to the login page. SecureLogin simply sees the login page and logs back on. If you don’t wish to log back on, you can typically detect the word logout (for example) either as text on the screen or in the URL.

To prevent looping, once you have detected the text or URL change, you can advise the user they have been logged out and use GoToURL to redirect them to the Intranet home page or simply end the script using EndScript, whichever you prefer.

#===========================================================# 
# Reads the URL from the web page and set to temp variable # 
#===========================================================# 
GetURL ?YahooURL 

MessageBox ?YahooURL (troubleshooting only)

If ""Logout"" -In ?YahooURL 
GoToURL ""http://Intranet"" 
EndScript 
EndIf

The GetURL command reads the URL of all loaded frames and pages and saves to a temp variable.

If the word ""Logout"" exists in the URL when the users logs off, this section of the script will run and prevent looping.

Invalid Username or Invalid Password

Some sites return a different error depending on whether the User ID or Password is invalid. They will typically only be invalid if a user stores them incorrectly when they are first prompted to do so (since SecureLogin remembers them and changes them etc.).

If an application displays different messages depending on whether the User ID or password is invalid, you should script to only display the invalid credential. SecureLogin can read the ""Invalid Password"" message and prompt the user to display the password only by placing $Password at the end of the DisplayVariables command as per the following:

DisplayVariables ""Your Password is invalid. Please verify it and click OK to retry logon"" $Password

Other Useful Tips

* All web sites are different so you will have to design your script based on the web sites behavior. Most sites will attempt logon using Submit, Type ""N"" (presses the enter key), or Click #1. You can also execute the java script on sites that use it which is often very useful. For example

GoToURL ""javascript:submitAction_win0(document.win0, ’#ICSave’)""

Might click the save button on a site where the other commands won’t work. Often the java command is available by viewing the source on the page or viewing the helper information in the bottom left hand corner of the browser window with the mouse over the desired button (or talk to the application owner).

* The following command selects the back button on Internet Explorer.

GoToURL ""javascript:window.history.back(-1)""

There are a number of other useful commands to help you enable web sites, including GetURL to read the URL and save it to a temporary variable (e.g. if the URL changes to include the key word logout after you click the logout button you can read it and redirect the user to the Internet home page using GoToURL).

Advanced Commands

There are a number of advanced commands to help you enable web sites, including the ability to read forms and set them up like Dialog/EndDialog statements in Windows scripts.

Scripting in this way can help speed up your script and further identify exact forms and pages you want a web script to trigger on. For example;

Tag ""Form"" 
Attribute ""Name""""Login"" 
EndTag
MessageBox ""Hey, you will only see this message if the defined form is on the page!""
 Type $Username #1 
Type $Password #2 
Submit

More Help

More help can be obtained in the knowledgebase, in the product manuals (e.g. Application Definition Guide) or by contacting Technical Support.

When you contact support, include version information (Workstation OS and service pack, version of IE, version of SecureLogin) and screen shots of the web site you wish to SSO enable.

The Pre Built application definitions (e.g. Yahoo) provide examples of web application definitions.