When a contract is created, it is assigned an authentication procedure that allows the user to be redirected to Identity Server for authentication. Some applications, such as AJAX and WebDAV applications, do not support redirection for authentication. You can change the authentication behavior of a contract so that redirection does not occur.
When non-redirected login is enabled, Access Gateway prompts the user to supply basic authentication credentials. The SOAP back channel between Access Gateway and Identity Server is used to complete the authentication on the user's behalf rather than a redirect. The SOAP back channel is also used for the session renewals.
Non-redirected login has the following restrictions:
Password Expiration Services: When you modify the authentication procedures to use non-redirected login, you cannot also use a password expiration service. Even when the Password expiration servlet and Allow user interaction options are configured, users are not redirected when their passwords are expiring and they are not prompted to change their passwords.
Locked Shared Secrets: When non-redirected login is enabled, users are not prompted for their passphrase for locked shared secrets.
Session Limits: Non-redirected login can cause the user to create more than one session with Identity Server because the SOAP back channel uses a different process than authentication requests that are directed to Identity Server. Therefore, do not limit your users to one session. Session limits are set by clicking Devices > Identity Servers > Edit.
If the contract you are going to use for non-redirected login is also assigned to protected resources that do not require non-redirected login, you must create a new authentication procedure for the resource requiring non-redirected login. Multiple authentication procedures can be configured to use the same contract.
To configure an authentication procedure:
Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources > [Name of Protected Resource].
On the Authentication Procedure line, click the Edit Authentication Procedure icon.
The Authentication Procedure List displays all available contracts, the name of the authentication procedure they are assigned to, the protected resources that the authentication procedure has been assigned to, and whether the procedure has been enabled for non-redirected login.
Select one of the following actions:
To create an new authentication procedure, click New, specify a name, then click OK. Continue with Step 4.
To modify an existing authentication procedure, click the name of the procedure. Continue with Step 4.
To delete an existing authentication procedure, select the procedure, then click Delete. Continue with Step 7.
If the procedure is used by a resource, it cannot be deleted until it is not being used to protect resources. An authentication procedure must exist for each contract. If you delete an authentication procedure for a contract without also deleting the contract, the system automatically re-creates an authentication procedure for the contract.
To specify the method for obtaining the credentials, fill in the following fields:
Contract: Select the contract that you want to use for this protected resource. This needs to be a contract that supports basic authentication credentials such as Name/Password- Basic or Secure Name/Password-Basic. You can also configure Non-Redirected Login with a Kerberos contract.
Non-Redirected Login: Select this option to use the SOAP back channel to verify the user’s credentials rather than a redirected request to Identity Server.
Realm: Specify a name that your users can use to identify the site that they are authenticating to. This could be your company name or the name of the application. The realm is displayed as a heading when the application requests a basic authentication.
Redirect to Identity Server When No Authentication Header Is Provided: The response must provide an authentication header. If the first request does not contain the authentication header, you can select this option to allow the first request to be redirected to Identity Server.
Click OK.
Select the authentication procedure you created or modified in Step 4.
Click OK.
Click Devices > Access Gateways, then update Access Gateway.
For configuration scenarios that use this feature, see Configuring Single Sign-On to Specific Applications.