I am trying to use UAG to achieve single sign-on across 3 externally published applications.  One is SharePoint and fully AD integrated, the others are two custom Java/J2EE applications which are not AD aware.

In short, what I want to accomplish is to insert a HTTP request header simply containing the authenticated username to the non-AD applications. I am aware of the security concerns around this approach.

There are some resources out on the web about how to do this; it clearly seems like it is a use case that UAG targets and supports.

After quite a bit of troubleshooting, I have it very very close to working, but have hit a final and significant stumbling block.

My setup is that I have a custom PostPostValidate script which simply inserts user_name1 into Hybrid_WhlStatusFlagY. I have verified that this is working, by using the web monitor to monitor session data, and also using logging to track the execution of the script.

I also have a WrapApp configuration that inserts the status flag into a header for my application. I have verified that this works by sending hardcoded test values.

After extensive debugging, I have discovered that:

• User goes to the root homepage, and hits the login form. After authenticating, they are forwarded to the homepage of the custom application.
• In this scenario, PostPostValidate fires twice. The first time, when they hit the login form, and they have a null username, because they have not yet authenticated. It then fires again after they have successfully authenticated, and now username is populated.
• Basically, it appears that if the username is not known when PostPostValidate fires for the first time, which it will not be since the user has not yet logged in, then the value of the HTTP Header will NOT be updated when PostPostValidate is fired for a second time. By using the web monitor I can verify that the session data HAS been updated, but the value of the HTTP header has not been.

To rephrase the problem, you can construct a test PostPostValidate script such as:

<%
if Session("user_name1") <> "" Then
  SetSessionParamWithType g_cookie, "Hybrid_WhlStatusFlagY", "Logged In", "Filter"
Else
  SetSessionParamWithType g_cookie, "Hybrid_WhlStatusFlagY", "Not Logged In", "Filter"
End If
%>

Using the Web Monitor to examine session data, you can verify that the flag in the session object has value "Logged In", but the value that is sent in the HTTP header is "Not Logged In".

What am I missing? Is there a way to prevent PostPostValidate from firing before the user has actually authenticated? Is there a way to force the HTTP Header to update the second time PostPostValidate fires?

Hello Ben,

1. As for the double PostPostValidate invoked - Do you happen to use RemoteApp in your portal with SSO ? The RemoteApp SSO process happen in the login phase and may invoke the validate page in order to convert the user to a full username. If you are using RemoteApp with SSO, try disable the SSO (just for test) and see if this change the behavior.

2. As for the solution itself, I think that for what you are trying to achieve ("In short, what I want to accomplish is to insert a HTTP request header simply containing the authenticated username to the non-AD applications") you can use a much simpler way. Please check the following IAG article:

http://technet.microsoft.com/en-us/library/dd278103.aspx

And specifically check the section: "Configuring authorization key value" ...

This should also work the same way in UAG, and it is much simpler to implement, if I understood your need correctly.

Basically, you just need to provide in the application's GUI (under "Web Settings" tab, check "Authorization Key")  the HTTP header name you want to use, and then in PostPostValidate.inc place something like:

SetSessionResourceParam g_cookie,"<Application_ID>","RWSAuthorization",user_name

And you are done... If I'm wrong, then I'm apologize for this.

Hope this helps,

Ophir Polotsky.

• Marked as answer by Ben Eirich 13 hours 41 minutes ago

Hi Ophir,

Thank you very much for your response.  I did finally get it to work utilizing the "Authorization Key Value" method that you linked.

I had actually tried this method before the AppWrap method and was not able to get it to work. But going back to it now, I had a hunch, and I tried:

<%
if Session("user_name1") <> "" Then
  SetSessionResourceParam g_cookie, "<app Id>","RWSAuthorization",Session("user_name1")
End If
%>

With the IF block, this works. Without the IF block, the header did not appear, presumably due to the issue with the PostPostValidate.inc firing twice.  That is still weird and something I would like to investigate further, but in any case, my immediate problem is solved.

Thanks again!

Hello Ben,

1. As for the double PostPostValidate invoked - Do you happen to use RemoteApp in your portal with SSO ? The RemoteApp SSO process happen in the login phase and may invoke the validate page in order to convert the user to a full username. If you are using RemoteApp with SSO, try disable the SSO (just for test) and see if this change the behavior.

2. As for the solution itself, I think that for what you are trying to achieve ("In short, what I want to accomplish is to insert a HTTP request header simply containing the authenticated username to the non-AD applications") you can use a much simpler way. Please check the following IAG article:

http://technet.microsoft.com/en-us/library/dd278103.aspx

And specifically check the section: "Configuring authorization key value" ...

This should also work the same way in UAG, and it is much simpler to implement, if I understood your need correctly.

Basically, you just need to provide in the application's GUI (under "Web Settings" tab, check "Authorization Key")  the HTTP header name you want to use, and then in PostPostValidate.inc place something like:

SetSessionResourceParam g_cookie,"<Application_ID>","RWSAuthorization",user_name

And you are done... If I'm wrong, then I'm apologize for this.

Hope this helps,

Ophir Polotsky.

• Marked as answer by Ben Eirich Monday, October 07, 2013 9:06 PM