SharePoint 2010 FBA SSO /w APM Solution
Download: https://devcentral.f5.com/downloads...mLogin.zip
Not short story, This solution was designed for a specific use case but has further reaching potential. Initially I set out to have fall back abilities from a standard PKI to Kerberos / AD authenticated SharePoint 2010 Farm, with fallback to a secondary PKI to Kerberos AD Forest, then to a U/P Forms based solution (ASPNetMembership/SQL Based). After digging around, the best I found was a thread on DevCentral stating we couldn’t do Forms Based SSO to SP (In 2010 once claims based or Forms is implemented the farm actually uses ‘federated’ authentication versus the older style.) SharePoint also has a habit of randomizing the form field ID’s to something like username_3B94BA1C-101F-11E2-87E7-4B556188709B, and having a hidden field with the same format.
Use Case
The specific use case that led to the development of this solution was to provide fall back authentication capabilities when a user did not exist in any configured Active Directories in the environment utilizing a single URL / namespace for all access. This configuration will require a Logon Page with Forms Based AAA and SSO profiles configured withing APM.
Solution
This solutions adds the following features to Forms Based Authentication in SharePoint 2010.
• Authenticate Credentials through HTTP Forms Based SSO Profile, and HTTP Forms Based AAA.
• Authenticate users by accepting credentials in QueryString format automatically.
• Authenticate Users in stardard FBA method when not accessing through BigIP.
Deployment
STSADM
stsadm -o addsolution –filename c:\MC.SP2010.CustomLogon.wsp
stsadm -o deploysolution –name MC.SP2010.CustomLogon.wsp -url http://[ServerName] - allowgacdeployment -force –immediate
PowerShell
Add-SPSolution c:\MC.SP2010.CustomLogon.wsp
Install-SPSolution -Identity MC.SP2010.CustomLogon.wsp -AllWebApplications -GACDeployment
Enable-SPFeature MC.SP2010.CustomLogon -url http://[ServerName]/ –force
AAA Settings
SSO Settings
Variable Assign Requirement
IRule Requirements (Not all of this is required, this is part of a PKI to Kerberos Configuration use case.)
when ACCESS_ACL_ALLOWED {
if { [ACCESS::session data get session.custom.noclientcert] ne "" } {
set autologon "&UserName=[ACCESS::session data get session.logon.last.username]&password=[ACCESS::session data get session.logon.last.password]"
HTTP::header replace "Host" "partners.f5lab.com"
if { [HTTP::uri] starts_with "/_layouts/MCLogin.aspx?" } {
log local0. "URI Match: [HTTP::uri]$autologon."
HTTP::uri "[HTTP::uri]$autologon"
}
WEBSSO::select SP_FBA_SSO
WEBSSO::enable
} else {
ACCESS::session data set session.logon.last.username [ACCESS::session data get "session.ldap.last.attr.sAMAccountName"]
}
}
when ACCESS_POLICY_AGENT_EVENT {
switch [ACCESS::policy agent_id] {
"CERTPROC" {
if { [ACCESS::session data get session.ssl.cert.x509extension] contains "othername:UPN<" } {
set tmpupn [findstr [ACCESS::session data get session.ssl.cert.x509extension] "othername:UPN<" 14 ">"]
ACCESS::session data set session.custom.certupn $tmpupn
}
}
"VAR" {
ACCESS::session data set session.logon.last.domain "F5LAB.LOCAL"
}
}
}
when HTTP_RESPONSE {
if { [HTTP::is_redirect] }{
HTTP::header replace Location [string map {"partners.f5lab.com" "portal.f5lab.com"} [HTTP::header Location]]
}
}
Logon Page Users get when not accessing through BIGIP (LTM+APM)