PAM 3.5 - AppSSO uncooked ?
I am not here to complain about the Support, I just want to know if AppSSO really works ?
> On 22nd Jan, we opened an SR#101213831901 and submit every detail(step
> by step document) to Support so that Support can reproduce the issue
> internally, Support even took the remote and didn't manage AppSSO to
> I am not here to complain about the Support, I just want to know if
> AppSSO really works ?
Yes AppSSO does work.
But I think it would be better if you talked to a Support Manager.
The APPSSO is dependent on SecureLogin. In order to make the SSO work, the team must have skillset of SecureLogin
For vSphere Web Client you might need to configure it using App Definition Wizard from NSL. Here is the guide to create an Application Definition for a Web Application:
or if the App definition is not working, please write the script:
Its not uncooked but at least APPSSO is not a "PAM Feature" strictly.
There are some sample AppSSO scripts that can be imported that I'm sure you are aware of. These should work and please continue to work with support if they do not.
In addition, you can also create custom appsso scripts for any applications using the wizard and/or tweaking the script definition. This will require some experience with SecureLogin and possibly some learning on your part. With the Wizard, it can be fairly straight-forward, but does occasionally need further tweaking of the script definition.
Please see PAM documentation for Creating Application SSO Scripts.
Some helpful SecureLogin documentation sources:
- Using the Application Definition Wizard.
- Commands reference (script).
In SecureLogin Manager, it would be good to enable the following preferences for a domain administrator when testing / creating the new script with the wizard:
Display Splash screen on startup
Display system tray icon
Show Add Application wizard with minimal actions
Note: Please disable these options for SSOUser and non admin users after all below steps are over.
I suspect that there is a problem in the custom NSL script in this case. It can be helpful, especially with new scripts, to verify it works with SecureLogin before having it authorized through PAM. Simply commenting out or removing the SetRestPlat -method "PAM" line in the script and creating a temporary, local credential in the SecureLogin Application is a good way to test/verify the script without wondering if there is some problem in PAM. I am then able to launch the application, try out the script, tweak, etc. Once satisfied, then I can add that line back in as per the PAM documentation and verify the script is copied/owned by the PAM AppSSO user, then try through PAM use-case and debug if necessary from that context, checking cmdctrl authorization, etc.
What application are you looking to add? Is it a webapp or native/gui/windows?
I know it's an old post but I wrote here to let you know that I have read your information above, since we discussed this issue somewhere else.
I am currently struggling with the final step of implemeting AppSSO for Vmware ESXi 6.7 host client (locally in the domain). So far PAM user can launch the rdp file from the pam console, my web application opens and PAM records the session, but SecureLogin does not enter the credentials automatically.
The wizard provided by SecureLogin is not solving the problem because it is not detecting the login fields, regardless I open the app in IE or chrome. I tried enabling scripts and add-ons in IE also but didn't work.
Is there a predefined script for this application or any script that can be easily tweaked ?
1- my AppSSO agent machine is Windows Server 2012 R2 and I have KB2919355 security update installed. 2- the ESXi login screen is an HTML5 web page and it has regular username and password fields and a login button and it looks like:
After that base, then creating a custom type script would be good to explore. You should first confirm the Secure Login SSO script can work standalone with just text inputs without any PAM while developing the script / using the helper tool. Once Secure Login script has been verified working without PAM, then it would be good to configure within PAM for credential fill from the crdvlt.
I suspect there is an issue with the SecureLogin script in identifying the fields for that page in order to then inject the credentials. So simply using static type text entry with no SetRestPlat -method "PAM" type entry will de-couple it from PAM and help isolate / troubleshoot the SSO script individually.
I hope the above helps, if I remember right, it's tricky to get selection of those fields in the SSO Script context for Secure Login.. I sadly don't have a sample script for the ESXi Web Login portal yet.
So far it worked for me without the 'SetRestPlat -method "PAM"', so it's not PAM who is inserting the credentials (from credential vault), it's SecureLogin (from credentials I saved in SecureLogin), so I have considered it as a solution since the credentials are inserted automatically while are hidden and inaccessible by the user.
Your above information were helpful, and it was not a certificate problem as i suspected, the trick was jumping from PAM documentation to SecureLogin documentation to figure out how it works.
Now for fulfilling the REST request to PAM to fetch the credential based on cmdctrl authorization, there could be other potential issues there and I'd recommend opening a Service Request and perhaps just referencing this forum thread as I believe it will be solvable issue. 🙂
Yes sure, the following script worked for that:
DebugPrint "Conducting Match on login form Log in - VMware ESXi - Internet Explorer"
Title "Log in - VMware ESXi - Internet Explorer"
DebugPrint "Window Title Log in - VMware ESXi - Internet Explorer Detected"
Note: $Username and $Password are credentials you saved in SecureLogin for this application (in the details tab).
In case this script didn't work, try to put a "Delay" in the beginning of the script, i.e, type the following as first line in the script:
Hope it helps and sorry for late answer.
Btw tdharris, so far, Application SSO to database and Application SSO to web application worked for me without creating any rule in the command control, so PAM user has to make a request and then be confirmed by the admin to have access to the application (as RDP for example), and after that, session is recorded and reports are issued properly so everything works fine.
But when I add a rule for the application, PAM user has access to the application (an RDP file automatically created in his Access Console) without requesting it, which made me confused about the purpose of adding a rule, since the documentation stated that rules must be created, while things worked for me without creating rules.
Am I misunderstanding something ?
However, if you are seeking that users have no access provided by any cmdctrl rules and prefer them to make a New Request for each privileged SSO they perform, then this can also be done by using the Emergency Access Requests feature in PAM. A user can simply select "New Request" and set it to Application SSO and select the Application, etc. With that approach, then a cmdctrl rule shouldn't be necessary, yes.
Its been a while..
I was worrying lately about extending Active Directory schema (which is a must to implement Application SSO), in a production environment, where the Active Directory "may" have a lot of users or objects.
Schema extension for Active Directory may affecting memory or decreasing performance, and cannot be rolled back.
What is your opinion about this situation ?
1- Is there a specific size for the AD, so that below this size, I will not be worrying about causing performance issues ?
2- While schema extension cannot be rolled back, is there a workaround (i.e. cloning the machine as a backup) for rolling back my work in case anything happened unexpectedly ?
What I like in PAM is it's needless to alter or change almost anything in the initial system, except the schema extension for AppSSO, which made me confused.
Again, any thoughts would be appreciated.