mxu1386
Visitor.
616 views

NAM3.2 form fill with application JS generated login form


We use NAM 3.2 to proxy and doing single sign-on Tableau app. The
form-fill works fine until we upgraded Tableau to new version, now NAM
could not "see" the login form. I checked and the URL and the form name
are correct in the policy. After looking into the login page, I found
that the new login page returned from Tableau server doesn't contain a
form at all, here is the result using "view source" in browser: it looks
like the form is generated using JS, which run on browser. How can I
make NAM to deal with this kind of login?

Thanks
Mark
<!DOCTYPE html><html xmlns:ng="" xmlns:tb=""><head><meta
charset="UTF-8"><meta name="viewport" content="width=1024,
maximum-scale=1.3"><meta name="format-detection"
content="telephone=no"><script>var VizPortal;
(function (VizPortal) {
VizPortal.BuildId = 'aohq2u6od85gsyvi';
})(VizPortal || (VizPortal = {}));</script><link rel="stylesheet"
type="text/css" href="vizportal.css?aohq2u6od85gsyvi"><script
src="/javascripts/api/tableau-2.0.0.min.js?aohq2u6od85gsyvi"></script><script
src="vizportalLibs.js?aohq2u6od85gsyvi"></script><script
src="vizportal.min.js?aohq2u6od85gsyvi"></script></head><body
class="tb-body"><div ng-app="VizPortalRun" id="ng-app" tb-window-resize
class="tb-app"><div ui-view="" class="tb-app-inner"></div><script
type="text/ng-template" id="inline_toaster.html"><div class="tb-toaster
tb-enable-selection"><div ng-repeat="toast in toasts"
ng-class="'tb-toast-{{ toast.type }}'" class="tb-toast"><div
ng-if="toast.lines" class="tb-toast-text"><div ng-repeat="line in
toast.lines">{{ line }}</div></div><div ng-if="toast.templateUrl"
ng-include="toast.templateUrl"></div><span
tb-button-click="close(toast.id)" class="tb-clear-button
tb-disable-selection">×</span></div></div></script><tb:toaster></tb:toaster><script
type="text/ng-template" id="inline_stackedElement.html"><div
tb-window-resize tb-left="left" tb-top="top" tb-right="right"
tb-bottom="bottom" tb-visible="visible"
class="tb-absolute"></div></script><tb:stacked-elements></tb:stacked-elements></div></body></html>


--
mxu1386
------------------------------------------------------------------------
mxu1386's Profile: https://forums.netiq.com/member.php?userid=1361
View this thread: https://forums.netiq.com/showthread.php?t=53784

0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: NAM3.2 form fill with application JS generated login form

mxu1386 wrote:

>
> We use NAM 3.2 to proxy and doing single sign-on Tableau app. The
> form-fill works fine until we upgraded Tableau to new version, now NAM
> could not "see" the login form. I checked and the URL and the form name
> are correct in the policy. After looking into the login page, I found
> that the new login page returned from Tableau server doesn't contain a
> form at all, here is the result using "view source" in browser: it looks
> like the form is generated using JS, which run on browser. How can I
> make NAM to deal with this kind of login?
>


It looks like they have switched to templating via the Angular javascript framework.

Your chances are low that you can get this working as most of the elements are generated dynamically by the browser based on a skeleton template.
This really limits the accessibility of this page and the ability for the page to degrade gracefully.
(To the detriment of everyone except the designers who want to program the web like they program apps and the project manager who was beguiled by a whizz bang UI)

You *might* be able to make this work, you need to do some investigation regarding how the login is actually performed and what is required.
I've had limited success with pages that lack a proper form and use competing frameworks like knockout and kendo

However this is somewhat of an arms race - you should try and find an alternative.

If this is the Tableau Server product, it seems that it supports SAML - I'd use this instead.

http://downloads.tableau.com/quickstart/feature-guides/saml.pdf
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Highlighted
mxu1386
Visitor.

Re: NAM3.2 form fill with application JS generated login form


Thanks Alex for your help.
Looks like SAML is the only solution that will work for sure.
In our NAM, we have multiple authentication contracts defined in IDS.
When I configure NAM to provide SAML identity to tableau, how do I
specify which contract to use?


Thanks
Mark


--
mxu1386
------------------------------------------------------------------------
mxu1386's Profile: https://forums.netiq.com/member.php?userid=1361
View this thread: https://forums.netiq.com/showthread.php?t=53784

0 Likes
Knowledge Partner
Knowledge Partner

Re: NAM3.2 form fill with application JS generated login form

mxu1386 wrote:

> Looks like SAML is the only solution that will work for sure.
> In our NAM, we have multiple authentication contracts defined in IDS.
> When I configure NAM to provide SAML identity to tableau, how do I
> specify which contract to use?


That depends.

Technically it is up to the SP (ie tableau in this case) to enforce the auth contract used.
often SPs just blindly accept anything authenticated by the IDP (ie NAM)

If they do enforce the auth contract used, the regular auth contracts created by NAM don't have the right URI.

This is a good thread which discusses some of the issues involved.
https://forums.netiq.com/showthread.php?47478-Request-a-specific-contract-from-3rd-party-SP-SAML2

It outlines how you can use IDP initiated federation by constructing an Intersite Transfer Service URL
Which can specify the auth contract.
https://www.netiq.com/documentation/netiqaccessmanager4/identityserverhelp/data/bdqwiuh.html

Or you can configure NAM to match the contract specified by the SP if you are using SP initiated federation.
This generally requires creating a new contract that matches the URI the SP sends (as they rarely are willing or able to change the URI they send)

Step Up Authentication is another option (though it has some limitations)
https://www.netiq.com/documentation/netiqaccessmanager4/identityserverhelp/data/bdqwiuh.html#bydi0ne
https://www.netiq.com/documentation/netiqaccessmanager4/identityserverhelp/data/b1apynrk.html
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
mxu1386
Visitor.

Re: NAM3.2 form fill with application JS generated login form


Thanks Alex, I'll give it a try.


--
mxu1386
------------------------------------------------------------------------
mxu1386's Profile: https://forums.netiq.com/member.php?userid=1361
View this thread: https://forums.netiq.com/showthread.php?t=53784

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.