Download - Extending Oracle SSO
Extending the Oracle Single Sign On (SSO) Server
Kurt Van MeerbeeckAXI NV/[email protected]
www.axi.bewww.axi.nl
session 389
Extending Oracle SSO Server
[ Who am i[ Kurt Van Meerbeeck
[ Engineer in electronics[ Working with Java since 1996 (jdk 1.0.2)[ Working with Oracle products since 1997 (Oracle 7.3.x, OAS 3.0)
[ Currently work for AXI NV/BV[ Oracle Partner in the Benelux area (www.axi.be/www.axi.nl)[ Oracle rdbms/ias
[ Author of DUDE [ Data Unloader tool (www.ora600.be)
[ Member of the Oaktable Network[ www.oaktable.net
Extending Oracle SSO Server
[ Agenda[ Case study – the challenge
[ Customer requirements
[ SSO – a small recap[ Components[ Workflow[ SSO Plugins
[ Solution[ LAN access[ Internet access using OCA certificate[ Internet access using eID passport[ DIY federated authentication
Presenting the case
[ Insurance company
[ 800 broker offices[ 3000 brokers
[ Backoffice application[ Visual Basic[ Citrix[ Oracle RDBMS [ All business logic in PLSQL
Presenting the case
Databasetier
Citrix Farm
COM+servers
Fax
Brokers
BackofficeApp
[ Proposal processing via FAX Company
A
CompanyC
Presenting the case
Databasetier
COM+servers
PrivateNetwork
PortimaBrokers
CompanyA
Companyn
Com
pan
yB
BrokerApp
BrokerApp
BrokerApp
BrokerApp
BrokerApp
BrokerApp
BrokerApp
BrokerApp
Third party app (PORTIMA)Authentication usingOffice ID & suboffice ID
[ Proposal processing via 3th party broker app
Presenting the case
[ Web-enable it !!!
[ Technology – Internet Application Server[ Oracle Portal[ Oracle Webforms[ Using existing PLSQL packages – business logic
Presenting the case
[ 3 options to connect
LANBackoffice
user
INTERNETbroker
PORTIMAbroker
private networkinternet
Presenting the case
[ 4 ways to authenticate
LANBackoffice
user
INTERNETBroker
- eID (certificate) + pincode- OCA digital certificate+password
PORTIMAbroker
private network (http)Internet (https)
Username+password
Office ID/Suboffice ID
PortimaAuthentication
server
Map portima ID to oracle ID
The challenge
[ Multiple complex authentication schemes[ using Belgian eID
[ only eID pin code required[ automatic logon to IAS
[ authentication using certificates signed by OCA[ SSO password required to logon to IAS
[ federated authentication [ private network[ brokers already authenticated with our partners SSO server[ map partner identity to IAS SSO identity [ automatic logon to IAS
[ internal LAN users[ SSO username/password required
inte
rnet
pri
vate
LAN
The challenge
[ Other requirements (challenges)
[ only develop in PLSQL[ Technology : Oracle Webforms & Portal
• only java / signed jar files – eID– printing
[ custom multiple logon screens• Holding has multiple companies• Company Look & feel • PLSQL using OWA, UTL_HTTP, & Mod_plsql
[ custom PLSQL APIs (for use in webforms)• Oracle Certificate Authority (OCA) (integration with openSSL)• Single Sign On Server (SSO) • Identity Management (IM) instead of OIDDAS ( dbms_ldap )
Yeah well ...
and
I WANT
A PORSCHE
Extending Oracle SSO Server
[ Agenda[ Case study – the challenge
[ Customer requirements
[ SSO – a small recap[ Components[ Workflow[ SSO Plugins
[ Solution[ LAN access[ Internet access using OCA certificate[ Internet access using eID passport[ DIY federated authentication
A small recap
[ Oracle AS Components[ Middle tiers
[ OHS – apache 1.3, mod_oc4j, mod_plsql, mod_rewrite, mod_osso, ...
[ Webcache[ J2EE [ Forms, Reports, Disco[ Portal
A small recap
[ Oracle AS Components[ Infrastructure
[ OHS – apache 1.3, mod_oc4j, mod_plsql, mod_rewrite, mod_osso, ...
[ OID – LDAP[ J2EE [ SSO server[ OCA[ Rdbms – portal, sso,
oca and other configuration & meta data
Understanding the SSO Architectuur
[ Lots of moving parts[ http redirects[ SSO & Partner cookies[ Token obfuscation
PLSQL APIin case of
Oracle Portal
SSO workflow – not yet authenticated
INFRA.axi.be
MID.axi.be
apacheapache
Mod_ossoMod_osso
Mod_oc4jMod_plsql
Mod_oc4jMod_plsql
J2eeJ2ee
apacheapache
Mod_ossoMod_osso
Mod_oc4jMod_plsql
Mod_oc4jMod_plsql
J2eeOc4j_security
oca
J2eeOc4j_security
oca
OIDLDAP
OIDLDAP
IASDB
http://my.company.com
Apache virtual host- Make it a SSO partner app- register it
- ptlconfig – portal- ossoreg.jar – mod_osso
- mod_osso.conf<location /app> require valid-user AuthType basic</location>
SSO workflow – not yet authenticated
INFRA.axi.be
MID.axi.be
apacheapache
Mod_ossoMod_osso
Mod_oc4jMod_plsql
Mod_oc4jMod_plsql
J2eeJ2ee
apacheapache
Mod_ossoMod_osso
Mod_oc4jMod_plsql
Mod_oc4jMod_plsql
J2eeOc4j_security
oca
J2eeOc4j_security
oca
OIDLDAP
OIDLDAP
IASDB
http://my.company.com
NameVirtualHost *:80
<VirtualHost *:80> ServerName my.company.com Port 80 # Include the configuration files # needed for mod_osso OssoConfigFile /OH/my_comp_osso.conf</VirtualHost>
infra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y>
Partner cookie available ?
SSO cookie ?-> Generate Redirect to logon pagehttp://infra.axi.be/sso/jsp/login.jsp $OH/sso/policy.properties
SSO workflow – not yet authenticated
INFRA.axi.be
MID.axi.be
apacheapache
Mod_ossoMod_osso
Mod_oc4jMod_plsql
Mod_oc4jMod_plsql
J2eeJ2ee
apacheapache
Mod_ossoMod_osso
Mod_oc4jMod_plsql
Mod_oc4jMod_plsql
J2eeOc4j_security
oca
J2eeOc4j_security
oca
OIDLDAP
OIDLDAP
IASDB
http://my.company.com
SSO workflow – not yet authenticated
INFRA.axi.be
MID.axi.be
apacheapache
Mod_ossoMod_osso
Mod_oc4jMod_plsql
Mod_oc4jMod_plsql
J2eeJ2ee
apacheapache
Mod_ossoMod_osso
Mod_oc4jMod_plsql
Mod_oc4jMod_plsql
J2eeOc4j_security
oca
J2eeOc4j_security
oca
OIDLDAP
OIDLDAP
IASDB
http://my.company.com
HTTP POST- Username- Password- Site-token
Check credentials in LDAP/OID
If OK-Generate SSO cookie (SSO_ID) -Generate redirect tohttp://my.company.com/osso_login_success?urlc=<sitetoken>
Generate Partner cookieGenerate redirect to the original URL (sitetoken)
SSO workflow – already authenticated
INFRA.axi.be
MID.axi.be
apacheapache
Mod_ossoMod_osso
Mod_oc4jMod_plsql
Mod_oc4jMod_plsql
J2eeJ2ee
apacheapache
Mod_ossoMod_osso
Mod_oc4jMod_plsql
Mod_oc4jMod_plsql
J2eeOc4j_security
oca
J2eeOc4j_security
oca
OIDLDAP
OIDLDAP
IASDB
http://my.company.com
- Mod_osso intercepts URL- finds partner cookie on client- request continues ...
SSO workflow – already authenticated
INFRA.axi.be
MID.axi.be
apacheapache
Mod_ossoMod_osso
Mod_oc4jMod_plsql
Mod_oc4jMod_plsql
J2eeJ2ee
apacheapache
Mod_ossoMod_osso
Mod_oc4jMod_plsql
Mod_oc4jMod_plsql
J2eeOc4j_security
oca
J2eeOc4j_security
oca
OIDLDAP
OIDLDAP
IASDB
http://my.company.com
- Mod_osso intercepts URL- NO partner cookie on client(there is one – but the cookieDomain is .company.com)
http://my.other-company.com
Redirect toinfra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y>
There’s already an SSO cookie (SSO_ID)on the client – and my.other-company.com is a partner app-Generate redirect tohttp://my.other-company.com/osso_login_success?urlc=<sitetoken>
Mod_osso deobfuscates the site-tokenRedirects to original URL
SSO workflow - recap
[ Things to remember[ Cookies
[ 1 SSO cookie – infrastructure – shared [ 1 cookie / partner app (virtual host)
[ Site-token[ Obfuscated in the beginning[ De-obfuscated at the end
[ Lots of moving parts[ Different technologies
SSO plugins
[ Out-of-the box[ Default : username/password
[ supports X509 digital certificates[ supports fallback authentication (but we don’t want that)[ SSOX509CertAuth plugin
[ supports WNA [ supports fallback authentication (but we don’t want that)[ SSOKerbeAuth plugin
[ multilevel authentication (but we don’t need that)[ <location x> requires username/password[ <location y> requires digital certificate
SSO plugins
[ But we need more complex authentication[ LAN: username/password[ Private network : federated authentication[ Internet : digital certificates/passwords &
pincodes
[ SSO server allows custom plugins !
SSO plugins
[ Plugins mostly used for integratingThird party authentication devices(example RSA ClearThrust)
[ Bootstrap ID’s
[ Exchange ID tokens through HTTPheaders
[ Lookup the ID token and map it ona Oracle SSO ID
SSO plugins – object model
IPASAuthInterfaceIPASAuthInterface
SSOServerAuth
SSOServerAuth
Custom Plugin
Custom Plugin
SSOX509CertAuth
SSOX509CertAuth
SSOKerbeAuthSSOKerbeAuth
implements
extends
Plugin can either[ Extend SSOServerAuth class
- fallback authentication possible[ Implement IPASAuthInterface interface
Plugin implements methods[ authenticate(HttpServletRequest)
returns instance of IPASUserInfo
package oracle.security.sso.server.auth;Read the user token from HTTP headers ;No token found in HTTP headers ?
-> throw new IPASInsufficientCredException(“No EID header found)-> fallback authentication : super.authenticate(httpservletrequest)
Decode the token to a SSO username ;IPASUserInfo authUser = new IPASUserInfo(username);Return authUser ; -> you’re authenticated !!!
Return new IPASUserInfo(“orcladmin”) ;
SSO plugins – object model
IPASAuthInterfaceIPASAuthInterface
SSOServerAuth
SSOServerAuth
Custom Plugin
Custom Plugin
SSOX509CertAuth
SSOX509CertAuth
SSOKerbeAuthSSOKerbeAuth
implements
extends
Plugin implements methods[ getUserCredentialPage
(HttpServletRequest, String)
returns instance of URL
return super.getUserCredentialPage(httpservletrequest, msg);
SSO plugins – object model
IPASAuthInterfaceIPASAuthInterface
SSOServerAuth
SSOServerAuth
Custom Plugin
Custom Plugin
SSOX509CertAuth
SSOX509CertAuth
SSOKerbeAuthSSOKerbeAuth
implements
extends
[ Compiling & enabling your plugin
1. Compiling[ CLASSPATH : ipastoolkit.jar, servlet.jar,
ossocls.jar
[ Put it in the right place !INFRA:$OH/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/lib
2. Enabling[ INFRA:$OH/sso/conf/policy.properties
MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.eIDSSOAuth
[ Restart SSO serveropmnctl restartproc process-type=OC4J_SECURITY
SSO plugins
[ SSO plugins[ Authenticate users the way you want
[ Trust 3th party authentication[ EID[ PORTIMA authentication server
[ But it’s java[ Deal with it
Extending Oracle SSO Server
[ Agenda[ Case study – the challenge
[ Customer requirements
[ SSO – a small recap[ Components[ Workflow[ SSO Plugins
[ Solution[ LAN access[ Internet access using OCA certificate[ Internet access using eID passport[ DIY federated authentication
SSO custom logon screen
INFRA.axi.be
MID.axi.be
apacheapache J2ee
SSOPLUGIN
J2eeSSO
PLUGIN
OIDLDAP
OIDLDAP
IASDB
http://my.company.com
apacheapache J2ee
J2ee
OIDLDAP
OIDLDAP
PLSQL using OWA_UTIL$OH/sso/policy.properties
http://infra.axi.be/pls/login_page
PlsqlLogin_page
PlsqlLogin_page
What site do you want to enter ?ORASSO.WWSSO_UTL.unbake_site2pstore_token-> my.company.com Generate a different logon screen
apacheapache
PlsqlLogin_proxy
PlsqlLogin_proxy
SSO custom logon screen
INFRA.axi.be
MID.axi.be
apacheapache J2ee
SSOPLUGIN
J2eeSSO
PLUGIN
OIDLDAP
OIDLDAP
IASDB
J2eeJ2ee
OIDLDAP
OIDLDAP
PlsqlLogin_page
PlsqlLogin_page
Submit credentials to plsql proxySSO cookie, http redirect, sitetoken are proxy’d
- offloading functionality from SSO plugin to PLSQL- easier integration with reverse proxies- manipulate redirects/sitetokens (Vista)
SSO custom login
[ LAN users – check ![ Internet brokers ?
[ PKI
LANBackoffice
user
INTERNETBroker
- eID (certificate) + pincode- OCA digital certificate+password
PORTIMAbroker
private network (http)Internet (https)
Username+password
Office ID/Suboffice ID
PortimaAuthentication
server
Map portima ID to oracle ID
Public Key Infrastructure
[ A few slides on PKI ...
PKI is a collection of services, protocols
andstandards supporting
public key cryptography
Public Key Infrastructure
[ Certificate Authorities (CA)[ Request/revoke/renw certificates
[ Registration Authorities (RA)[ Verify identities
[ Online repositories [ LDAP
[ Certificate Revocation List (CRL)[ List with revoked certficates
[ Entities[ Clients, servers, applications
[ Public key certificate (X509, PKCS#)
Public Key InfrastructureC
hain
of
tru
st
PKI equivalent
Root CAEx. GlobalSign, Verisign
United Nations
company CAEx. AXI CA Belgium,
Netherlands...
RegistrationAuthority (RA)
City hall, police office, court house
Digital Certificate-Signing-Authentication
Driver’s license Passport
Public Key InfrastructureC
hain
of
tru
st
Valid ?(CRL)
Example of authenticatie
United Nations
USBelgium
Me and my passport The nice officer at JFK And his passport
Public Key InfrastructureC
hain
of
tru
st
Valid ?(CRL)
Example of authenticatie
United Nations
USBelgium
Flandersregion
Walloonregion
If Belgium splits in theFlanders region and WalloonRegion I will be screwed if the United Nations do not recognizethem
Public Key Infrastructure - eID
Belgium The Netherlands Germany Austria Italy Portugal Estonia
[ eID emerging in europe[ Smartcard passport
Public Key Infrastructure - eID
• name• first 2 Christian names• first letter of third Christian name• nationality• place and date of birth• sex• place of issue• start and end dates of validity• card number• owner’s photograph• owner’s signature• National Register Number
From a visual point of view, the information shown will be the same as on the present identity card:
Public Key Infrastructure - eID
From an electronic point of view, the data on the chip is the same as the information printed on the card, plus:• address• identity and signature keys• identity and signature certificate • Certificate Service Provider• security information (chip number, etc.)
Some information is protected by a pin code
Public Key Infrastructure - eID
Public Key Infrastructure - eID
apacheapache
PlsqlLogin_proxy
PlsqlLogin_proxy
SSO integration with PKI
INFRA.axi.be
MID.axi.be
apacheapache J2ee
SSOOCA
J2eeSSOOCA
OIDLDAP
OIDLDAP
IASDB
J2eeJ2ee
OIDLDAP
OIDLDAP
PlsqlLogin_page
PlsqlLogin_page
Client certificate (OCA, eID)(private/public key in keystore)
Root certificateGovernment CAOracle CA
Server Certificate
Server Certificate
Root Certificate
Root Certificate
SSL
SSL
apacheapache
PlsqlLogin_proxy
PlsqlLogin_proxy
SSO integration with PKI – SSL terminator
INFRA.axi.be
MID.axi.be
apacheapache J2ee
SSOOCA
J2eeSSOOCA
OIDLDAP
OIDLDAP
IASDB
J2eeJ2ee
OIDLDAP
OIDLDAP
PlsqlLogin_page
PlsqlLogin_page
HTTPSSSL
TerminatorAccelerator
SSLTerminatorAccelerator
HTTP
HTTP
OCSPLDAPDownload CRL
GovernmentCA’s (eID)
LDAPDownload CRL OCA
[ What kind of SSL terminator to choose ???[ Juniper SSL/VPN 4000 Series
[ Recommend by the network partner[ Should be easy to configure in PKI environment[ It requires no low level http proxy/reverse proxy rules[ Expensive license (per session)[ Encryption of cookies – url masquerading
[ Threw it out because[ It did not work with the combo Vista/Oracle Forms/JPI 1.5.x[ Too high level configuration – no low level http manipulation
possible[ SSO integration had to be done using HTTP POSTs of the certificate
subject to our PLSQL SSO proxy[ Every switch to another partner app resulted in having to logon
again ( ... Euh ... That’s not SSO)
SSO integration with PKI – SSL terminator
[ What kind of SSL terminator to choose ???[ Blue Coat reverse proxy (RP)
[ SSO – lots of moving parts – made the network guys dizzy[ 6 different consultants in 6 days [ Gave up on it ...[ Blue Coat can probably do it ... Just find the right people
[ Apache2 based RP[ On ubuntu linux/HA with mod_proxy/mod_proxy_html[ Very low level http manipulation possible[ Mod_ssl does not support OCSP [ Managed to set it up in 2 days (incl clustering)
SSO integration with PKI – SSL terminator
apacheapache
PlsqlLogin_proxy
PlsqlLogin_proxy
SSO integration with PKI – workflow
INFRA.axi.be
MID.axi.be
apacheapache J2ee
SSOOCA
J2eeSSOOCA
OIDLDAP
OIDLDAP
IASDB
J2eeJ2ee
OIDLDAP
OIDLDAP
PlsqlLogin_page
PlsqlLogin_page
HTTPSSSL
TerminatorAccelerator
SSLTerminatorAccelerator
HTTP
HTTP
OCSPLDAPDownload CRL
GovernmentCA’s (eID)
LDAPDownload CRL OCA
OCADigital certificate
My.company.comLogin.company.com
ProxyPass /forms/ http://MID.axi.be:7782/forms/ProxyPass /osso_login_success http://MID.axi.be:7782/osso_login_successProxyPass /login/ http://INFRA.axi.be:7780/
ProxyPassReverse /forms/ http://MID.axi.be:7782/ProxyPassReverse /sso/ http://INFRA.axi.be:7780/ProxyHTMLURLMap http://INFRA.axi.be:7780 /login
<Location /sso/> SSLVerifyClient require RequestHeader set SUBJECT "%{SSL_CLIENT_S_DN}e"</location>
apacheapache
PlsqlLogin_proxy
PlsqlLogin_proxy
SSO integration with PKI – workflow
INFRA.axi.be
MID.axi.be
apacheapache J2ee
SSOOCA
J2eeSSOOCA
OIDLDAP
OIDLDAP
IASDB
J2eeJ2ee
OIDLDAP
OIDLDAP
PlsqlLogin_page
PlsqlLogin_page
HTTPSSSL
TerminatorAccelerator
SSLTerminatorAccelerator
HTTP
HTTP
OCSPLDAPDownload CRL
GovernmentCA’s (eID)
LDAPDownload CRL OCA
My.company.comLogin.company.com
Only need to enter SSO password
Map certificate subject to SSOusername
apacheapache
PlsqlLogin_proxy
PlsqlLogin_proxy
SSO integration with PKI – workflow
INFRA.axi.be
MID.axi.be
apacheapache J2ee
SSOOCA
J2eeSSOOCA
OIDLDAP
OIDLDAP
IASDB
J2eeJ2ee
OIDLDAP
OIDLDAP
PlsqlLogin_page
PlsqlLogin_page
HTTPSSSL
TerminatorAccelerator
SSLTerminatorAccelerator
HTTP
HTTP
OCSPLDAPDownload CRL
GovernmentCA’s (eID)
LDAPDownload CRL OCA
OCADigital certificate
SSO custom login
[ LAN users – check ![ Internet brokers ?
[ OCA – check[ EID?
LANBackoffice
user
INTERNETBroker
- eID (certificate) + pincode- OCA digital certificate+password
PORTIMAbroker
private network (http)Internet (https)
Username+password
Office ID/Suboffice ID
PortimaAuthentication
server
Map portima ID to oracle ID
apacheapache
PlsqlLogin_proxy
PlsqlLogin_proxy
SSO integration with PKI – workflow
INFRA.axi.be
MID.axi.be
apacheapache J2ee
SSOOCA
J2eeSSOOCA
OIDLDAP
OIDLDAP
IASDB
J2eeJ2ee
OIDLDAP
OIDLDAP
PlsqlLogin_page
PlsqlLogin_page
HTTPSSSL
TerminatorAccelerator
SSLTerminatorAccelerator
HTTP
HTTP
OCSPLDAPDownload CRL
GovernmentCA’s (eID)
LDAPDownload CRL OCA
eIDDigital certificate
My.company.comLogin.company.com
ProxyPass /forms/ http://MID.axi.be:7782/forms/ProxyPass /osso_login_success http://MID.axi.be:7782/osso_login_successProxyPass /login/ http://INFRA.axi.be:7780/
ProxyPassReverse /forms/ http://MID.axi.be:7782/ProxyPassReverse /sso/ http://INFRA.axi.be:7780/ProxyHTMLURLMap http://INFRA.axi.be:7780 /login
<Location /sso/> SSLVerifyClient require RequestHeader set SUBJECT "%{SSL_CLIENT_S_DN}e"</location>
apacheapache
PlsqlLogin_proxy
PlsqlLogin_proxy
SSO integration with PKI – workflow
INFRA.axi.be
MID.axi.be
apacheapache J2ee
SSOOCA
J2eeSSOOCA
OIDLDAP
OIDLDAP
IASDB
J2eeJ2ee
OIDLDAP
OIDLDAP
PlsqlLogin_page
PlsqlLogin_page
HTTPSSSL
TerminatorAccelerator
SSLTerminatorAccelerator
HTTP
HTTP
OCSPLDAPDownload CRL
GovernmentCA’s (eID)
LDAPDownload CRL OCA
eIDDigital certificate
My.company.comLogin.company.com
<Location /sso/> SSLVerifyClient require RequestHeader set SUBJECT "%{SSL_CLIENT_S_DN}e"</location>
SSO custom login
[ LAN users – check ![ Internet brokers ?
[ OCA – check[ EID - check
LANBackoffice
user
INTERNETBroker
- eID (certificate) + pincode- OCA digital certificate+password
PORTIMAbroker
private network (http)Internet (https)
Username+password
Office ID/Suboffice ID
PortimaAuthentication
server
Map portima ID to oracle ID
PlsqlLogin_page
PlsqlLogin_page
apacheapache
Apache 2.x RPApache 2.x RP
PlsqlLogin_proxy
PlsqlLogin_proxy
DIY federated authentication - workflow
INFRA.axi.be
MID.axi.be
apacheapache J2ee
SSOPLUGIN
J2eeSSO
PLUGIN
OIDLDAP
OIDLDAP
IASDB
J2eeJ2ee
OIDLDAP
OIDLDAP
Portima Authentication server
My.private-company.comLogin.private-company.com
Officeid/subofficepassword
PlsqlLogin_page
PlsqlLogin_page
apacheapache
Apache 2.x RPApache 2.x RP
PlsqlLogin_proxy
PlsqlLogin_proxy
DIY federated authentication - workflow
INFRA.axi.be
MID.axi.be
apacheapache J2ee
SSOPLUGIN
J2eeSSO
PLUGIN
OIDLDAP
OIDLDAP
IASDB
J2eeJ2ee
OIDLDAP
OIDLDAP
Portima Authentication server
My.private-company.comLogin.private-company.com
Officeid/subofficepassword
Replaced with SAML v2
Federated Authenticatio
n
In 2008
(integrated with
Oracle SSO)
Architecture
HTTP/S HTTP
CA
LB(linux vipsldirector)
INFRA
MIDCRL
HTTP HTTP
SSL/RP (apache2)
RP (apache2)
Solved problem ... And more
[ Multiple authentication schemes[ Depending on physical location[ Automatic logon + identity bootstrapping[ DIY Federated authentication
[ Access control [ Ex. Internet broker is not allowed to logon via a LAN connection and/or
vice versa[ Must change password with first logon
[ Multi-language support in logon page[ Integration with reverse proxies
[ Passing/generating extra http headers for logon logic
[ Detection of windows Vista[ Manipulate http headers (eg Vista/IE bugs) [ Manipulate sitetoken to redirect to other URL [ Custom plugin download pages for forms/java plugin
[ Multiple logon screens for different apps[ Based on unbaking the site token
Questions