PAM 3.5 - AppSSO uncooked ?

On 22nd Jan, we opened an SR#101213831901 and submit every detail(step by step document) to Support so that Support can reproduce the issue internally, Support even took the remote and didn't manage AppSSO to work.

I am not here to complain about the Support, I just want to know if AppSSO really works ?
  • On 13.02.19 19:04, sharfuddin wrote:
    > On 22nd Jan, we opened an SR#101213831901 and submit every detail(step
    > by step document) to Support so that Support can reproduce the issue
    > internally, Support even took the remote and didn't manage AppSSO to
    > work.
    > I am not here to complain about the Support, I just want to know if
    > AppSSO really works ?


    Yes AppSSO does work.

    But I think it would be better if you talked to a Support Manager.

  • I am sorry for not coming back earlier. We got the following:

    The APPSSO is dependent on SecureLogin. In order to make the SSO work, the team must have skillset of SecureLogin

    For vSphere Web Client you might need to configure it using App Definition Wizard from NSL. Here is the guide to create an Application Definition for a Web Application:

    or if the App definition is not working, please write the script:

    Its not uncooked but at least APPSSO is not a "PAM Feature" strictly.
  • PAM AppSSO does really work. :) I have verified several of the use-cases now including Web Logins and even created a couple of my own custom ones.

    There are some sample AppSSO scripts that can be imported that I'm sure you are aware of. These should work and please continue to work with support if they do not.

    In addition, you can also create custom appsso scripts for any applications using the wizard and/or tweaking the script definition. This will require some experience with SecureLogin and possibly some learning on your part. With the Wizard, it can be fairly straight-forward, but does occasionally need further tweaking of the script definition.

    Please see PAM documentation for Creating Application SSO Scripts.
    Some helpful SecureLogin documentation sources:
    - Using the Application Definition Wizard.
    - Commands reference (script).

    In SecureLogin Manager, it would be good to enable the following preferences for a domain administrator when testing / creating the new script with the wizard:
    Display Splash screen on startup
    Display system tray icon
    Show Add Application wizard with minimal actions
    Note: Please disable these options for SSOUser and non admin users after all below steps are over.

    I suspect that there is a problem in the custom NSL script in this case. It can be helpful, especially with new scripts, to verify it works with SecureLogin before having it authorized through PAM. Simply commenting out or removing the SetRestPlat -method "PAM" line in the script and creating a temporary, local credential in the SecureLogin Application is a good way to test/verify the script without wondering if there is some problem in PAM. I am then able to launch the application, try out the script, tweak, etc. Once satisfied, then I can add that line back in as per the PAM documentation and verify the script is copied/owned by the PAM AppSSO user, then try through PAM use-case and debug if necessary from that context, checking cmdctrl authorization, etc.

    What application are you looking to add? Is it a webapp or native/gui/windows?
  • Hi tdahrris,

    I know it's an old post but I wrote here to let you know that I have read your information above, since we discussed this issue somewhere else.

    I am currently struggling with the final step of implemeting AppSSO for Vmware ESXi 6.7 host client (locally in the domain). So far PAM user can launch the rdp file from the pam console, my web application opens and PAM records the session, but SecureLogin does not enter the credentials automatically.

    The wizard provided by SecureLogin is not solving the problem because it is not detecting the login fields, regardless I open the app in IE or chrome. I tried enabling scripts and add-ons in IE also but didn't work.

    Is there a predefined script for this application or any script that can be easily tweaked ?


    1- my AppSSO agent machine is Windows Server 2012 R2 and I have KB2919355 security update installed. 2- the ESXi login screen is an HTML5 web page and it has regular username and password fields and a login button and it looks like:


  • I recommend initially getting one of the bundled type scripts working to ensure environment is properly setup and that the understanding of how the feature is configured is confirmed. Could try with an application and then go to a web url/app type approach as well.

    After that base, then creating a custom type script would be good to explore. You should first confirm the Secure Login SSO script can work standalone with just text inputs without any PAM while developing the script / using the helper tool. Once Secure Login script has been verified working without PAM, then it would be good to configure within PAM for credential fill from the crdvlt.

    I suspect there is an issue with the SecureLogin script in identifying the fields for that page in order to then inject the credentials. So simply using static type text entry with no SetRestPlat -method "PAM" type entry will de-couple it from PAM and help isolate / troubleshoot the SSO script individually.

    I hope the above helps, if I remember right, it's tricky to get selection of those fields in the SSO Script context for Secure Login.. I sadly don't have a sample script for the ESXi Web Login portal yet.
  • So far it worked for me without the 'SetRestPlat -method "PAM"', so it's not PAM who is inserting the credentials (from credential vault), it's SecureLogin (from credentials I saved in SecureLogin), so I have considered it as a solution since the credentials are inserted automatically while are hidden and inaccessible by the user.

    Your above information were helpful, and it was not a certificate problem as i suspected, the trick was jumping from PAM documentation to SecureLogin documentation to figure out how it works.

  • Ok, glad to hear that the SecureLogin script can inject the stored credentials there. If possible, would you be willing to share that SSO script here? I suspect others would benefit from the ESXi SSO script.
    Now for fulfilling the REST request to PAM to fetch the credential based on cmdctrl authorization, there could be other potential issues there and I'd recommend opening a Service Request and perhaps just referencing this forum thread as I believe it will be solvable issue.
  • Yes sure, the following script worked for that:


    DebugPrint "Conducting Match on login form Log in - VMware ESXi - Internet Explorer"
    Title "Log in - VMware ESXi - Internet Explorer"
    DebugPrint "Window Title Log in - VMware ESXi - Internet Explorer Detected"

    Type $Username
    Type \T
    Type $Password
    Type \N


    Note: $Username and $Password are credentials you saved in SecureLogin for this application (in the details tab).

    In case this script didn't work, try to put a "Delay" in the beginning of the script, i.e, type the following as first line in the script:

    Delay 5000

    Hope it helps and sorry for late answer.

  • Btw tdharris, so far, Application SSO to database and Application SSO to web application worked for me without creating any rule in the command control, so PAM user has to make a request and then be confirmed by the admin to have access to the application (as RDP for example), and after that, session is recorded and reports are issued properly so everything works fine.

    But when I add a rule for the application, PAM user has access to the application (an RDP file automatically created in his Access Console) without requesting it, which made me confused about the purpose of adding a rule, since the documentation stated that rules must be created, while things worked for me without creating rules.

    Am I misunderstanding something ?

  • The example is providing steps for how to achieve with cmdctrl rule-based authorization where a set of users should have access to perform privileged SSO to applications without having to do a request/approval workflow with an admin for each time. This makes sense for a lot of use-cases where certain users have authority to use certain resources/credentials. In fact, most organizations have a plan for groups of users to have access to various groups of resources by group membership, so a request-based approach only would be too cumbersome and would only be needed for emergencies where they aren't typically permitted to have that access by the cmdctrl rules.

    However, if you are seeking that users have no access provided by any cmdctrl rules and prefer them to make a New Request for each privileged SSO they perform, then this can also be done by using the Emergency Access Requests feature in PAM. A user can simply select "New Request" and set it to Application SSO and select the Application, etc. With that approach, then a cmdctrl rule shouldn't be necessary, yes.