I am trying to use UAG to achieve single sign-on across 3 externally published applications. One is SharePoint and fully AD integrated, the others are two custom Java/J2EE applications which are not AD aware.
In short, what I want to accomplish is to insert a HTTP request header simply containing the authenticated username to the non-AD applications. I am aware of the security concerns around this approach.
There are some resources out on the web about how to do this; it clearly seems like it is a use case that UAG targets and supports.
After quite a bit of troubleshooting, I have it very very close to working, but have hit a final and significant stumbling block.
My setup is that I have a custom PostPostValidate script which simply inserts user_name1 into Hybrid_WhlStatusFlagY. I have verified that this is working, by using the web monitor to monitor session data, and also using logging to track the execution of the script.
I also have a WrapApp configuration that inserts the status flag into a header for my application. I have verified that this works by sending hardcoded test values.
After extensive debugging, I have discovered that:
- User goes to the root homepage, and hits the login form. After authenticating, they are forwarded to the homepage of the custom application.
- In this scenario, PostPostValidate fires twice. The first time, when they hit the login form, and they have a null username, because they have not yet authenticated. It then fires again after they have successfully authenticated, and now username is populated.
- Basically, it appears that if the username is not known when PostPostValidate fires for the first time, which it will not be since the user has not yet logged in, then the value of the HTTP Header will NOT be updated when PostPostValidate is fired for a second time. By using the web monitor I can verify that the session data HAS been updated, but the value of the HTTP header has not been.
To rephrase the problem, you can construct a test PostPostValidate script such as:
<% if Session("user_name1") <> "" Then SetSessionParamWithType g_cookie, "Hybrid_WhlStatusFlagY", "Logged In", "Filter" Else SetSessionParamWithType g_cookie, "Hybrid_WhlStatusFlagY", "Not Logged In", "Filter" End If %>Using the Web Monitor to examine session data, you can verify that the flag in the session object has value "Logged In", but the value that is sent in the HTTP header is "Not Logged In".
What am I missing? Is there a way to prevent PostPostValidate from firing before the user has actually authenticated? Is there a way to force the HTTP Header to update the second time PostPostValidate fires?