Search
Clear search
Close search
Google apps
Main menu
true

Set up Forms Authentication rule manually

for the content protected by ADFS as an example

GSA release 7.6 introduces a new feature to create Forms Authentication rules manually using special markup syntax. This example shows how to create a rule for content protected by ADFS. The rule cannot be created using the wizard because ADFS pages use JavaScript which the wizard does not support.

Requests flow

  1. Unauthenticated user navigates to some protected content.
  2. Web application redirects user to ADFS login page.
  3. After successful authentication, ADFS login page redirects user back to the web application's trust URI. Inside this redirect (usually POST) ADFS sends special assertion.
  4. Web application parses assertion and if everything is correct, and user is allowed to see requested content, the web application redirects the user to the content.

Why not forms authentication wizard?

The GSA Forms authentication wizard does not support JavaScript. The default ADFS login page uses JavaScript to complete authentication, but because the wizard does not handle it properly, the rule has to be entered manually.

Here is what happens when the rule is created with the wizard:

Prerequisites

GSA must have release 7.6 or later. Before performing the next steps, review the GSA 7.6 Admin Console Content Sources > Web Crawl > Secure Crawl > Forms Authentication help page.

Step 1: Record HAR file

  1. Open Chrome or Firefox web browser in Incognito or Private mode.
  2. Press the F12 key to bring up the Inspector.
  3. Select the Network tab from the Inspector and check Preserve logs option.
  4. Navigate to a sample ADFS protected page. Page should redirect to the ADFS login page.
  5. Log in with the username/password. If entered correctly, the ADFS login page should redirect you back to the sample protected page.
  6. Right-click on the Inspector log panel and select Save as HAR with Content.

Step 2: Extract GET/POST actions from HAR file

The following utility can be used as a convenient way to view HAR: https://toolbox.googleapps.com/apps/har_analyzer/

  1. Open preferred text editor to save all actions for the rule.
  2. The first action should always be a request to your sample secure page. This page should redirect to the login form. In this example, this is the ADFS login page:

    Example of the first action:

    <https://esosp01.esodomain.local:444/SitePages/Test.aspx GET>

  3. Get the following GET requests in the same manner.

    Example from test HAR file:

    <https://esosp01.esodomain.local:444/_layouts/15/Authenticate.aspx?Source=%2FSitePages%2FTest%2Easpx GET>

    <https://esosp01.esodomain.local:444/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FSitePages%252FTest%252Easpx&Source=%2FSitePages%2FTest%2Easpx GET>

    <https://esosp01.esodomain.local:444/_trust/default.aspx?trust=OMEGA%20ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FSitePages%252FTest%252Easpx&Source=%2FSitePages%2FTest.aspx GET>

    <https://omegadc01.omega.local/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aesosp01&wctx=https%3a%2f%2fesosp01.esodomain.local%3a444%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FSitePages%252FTest%252Easpx GET>

    Resources like CSS, pictures or JavaScript can be ignored.

  4. The next action is the first POST request. Be very precise extracting POST requests, this data is actually used for the authentication:

    <https://omegadc01.omega.local/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aesosp01&wctx=https%3a%2f%2fesosp01.esodomain.local%3a444%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FSitePages%252FTest%252Easpx POST>

  5. Get all POST data parameters in the rule:

    <https://omegadc01.omega.local/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aesosp01&wctx=https%3a%2f%2fesosp01.esodomain.local%3a444%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FSitePages%252FTest%252Easpx POST
    =UserName=jsmith%40omega.local
    =AuthMethod=FormsAuthentication
    *=Password=your_password_here>

    You should use *= operator for password fields

  6. Continue with GET requests

    <https://omegadc01.omega.local/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aesosp01&wctx=https%3a%2f%2fesosp01.esodomain.local%3a444%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FSitePages%252FTest%252Easpx GET>

  7. New POST request to https://esosp01.esodomain.local:444/_trust/. Note this request is makes authentication on the site itself.

    <https://esosp01.esodomain.local:444/_trust/ POST>

  8. The following POST contains the following information:

    wresult param is the assertion that ADFS sends to the web application. This assertion is different for each authentication attempt. You should use != operator to mark it as dynamic. Value could be left blank.

  9. The final action is as follows:

    <https://esosp01.esodomain.local:444/_trust/ POST
    =wa=wsignin1.0
    =wctx=https://esosp01.esodomain.local:444/_layouts/15/Authenticate.aspx?source=%2FSitePages%2FTest%2Easpx
    !=wresult= >

  10. Now only two final GET requests left:

    <https://esosp01.esodomain.local:444/_layouts/15/Authenticate.aspx?Source=%2FSitePages%2FTest%2Easpx GET>

    <https://esosp01.esodomain.local:444/SitePages/Test.aspx GET>

Completed forms authentication rule example

The completed forms authentication rule will look like this:


<https://esosp01.esodomain.local:444/SitePages/Test.aspx GET>
<https://esosp01.esodomain.local:444/_layouts/15/Authenticate.aspx?Source=%2FSitePages%2FTest%2Easpx GET>
<https://esosp01.esodomain.local:444/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FSitePages%252FTest%252Easpx&Source=%2FSitePages%2FTest%2Easpx GET>
<https://esosp01.esodomain.local:444/_trust/default.aspx?trust=OMEGA%20ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FSitePages%252FTest%252Easpx&Source=%2FSitePages%2FTest.aspx GET>
<https://omegadc01.omega.local/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aesosp01&wctx=https%3a%2f%2fesosp01.esodomain.local%3a444%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FSitePages%252FTest%252Easpx GET>
<https://omegadc01.omega.local/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aesosp01&wctx=https%3a%2f%2fesosp01.esodomain.local%3a444%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FSitePages%252FTest%252Easpx POST =UserName=jsmith%40omega.local =AuthMethod=FormsAuthentication *=Password=your_password_here>
<https://omegadc01.omega.local/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aesosp01&wctx=https%3a%2f%2fesosp01.esodomain.local%3a444%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FSitePages%252FTest%252Easpx GET>
<https://esosp01.esodomain.local:444/_trust/ POST =wa=wsignin1.0 =wctx=https://esosp01.esodomain.local:444/_layouts/15/Authenticate.aspx?Source=%2FSitePages%2FTest%2Easpx !=wresult=>
<https://esosp01.esodomain.local:444/_layouts/15/Authenticate.aspx?Source=%2FSitePages%2FTest%2Easpx GET>
<https://esosp01.esodomain.local:444/SitePages/Test.aspx GET>

Was this article helpful?
How can we improve it?