XenMobile: WorxWeb Single Sign On with NetScaler

XenMobile: WorxWeb Single Sign On with NetScaler -

WorxWeb is the mobile web browser, deployed as part of your deployment XenMobile. Similarly to WorxMail (the client secure mobile messaging) WorxWeb provides seamless and secure access to your entire set of company resources HTTP / HTTPS.

WorxWeb is an excellent example of our MDX technology. With MDX, we take a native mobile application, wrap it with our MDX technology, and provide a layer:

• applies MDX policies for maintaining the level of application
• international Monitors and controls access to the application, according to policies defined by the administrator
• monitor and control network access - MicroVPN - for access to corporate resources

One of the coolest things about WorxWeb, is its ability to Single Sign on users in enterprise resources. So each time you access your internal corporate portal, via WorxWeb, you do not hit your LDAP credentials again. WorxWeb manages for you. Or by technical precision - NetScaler manages for you

There is a conscious choice for the sake of greater security, we do the identification of the user cache information on the endpoint (not by default -. We do not allow basic rules caching, if you choose). So if the credentials are not available on the final point, how this SSO?

NetScaler's the magic.

Initially, when you start any MDX application WorxHome ensures that you have a valid session MicroVPN available with NetScaler. As part of this implementation, the user would need to provide his / her LDAP credentials, assuming that LDAP is one factor configured to authenticate the user on NetScaler. Now, as part of this LDAP authentication, NetScaler is able to access and record the user's credentials for future use without welding SSO on behalf of the user.

So when a user opens WorxWeb, launching say an internal portal page, here's what happens in the background :.

1. Often the portal page return an HTTP 401 error, indicating that the user authorization is required to access the
2. NetScaler is aware of this transaction, and seeing a 401 returned intercepts it and responds with the user credentials on the Web server.
3. If the user's credentials are playing well, and the web server accepts this transaction, it will return the requested page with a status HTTP 0 OK.
4. This page is then returned to WorxWeb on the end user device. In essence, we have just completed a Single Sign On

Note that the Single Sign On tempted, depends on the following :.

1. authentication credentials resources are the same as one of the factors in place on NetScaler. Note that the NetScaler ability to replay the user's credentials is intrinsically linked to the assumption that NetScaler has access to these credentials. NetScaler now never stores these credentials on disk, in a similar case that a safe password could do. But in the context of the creation of the session on NetScaler, it stores the credentials used to log on, in the context of the user's session (safely encrypted). And if those credentials match the credentials required for access to resources, in theory, we can achieve SSO.
2. Above factor is not sufficient to perform SSO. The other thing that is important NetScaler be able to see the challenge 401. NetScaler of the ability to see a 401 is possible if the session being bridged via NS, not end to end encrypted SSL. Therefore, a session is HTTPS, the rear end can not be peeped in, and therefore an attempt to SSO, not possible. That said, NetScaler is an intelligent device, and provides a possible workaround. NetScaler has several modes in which a customer can interact with the NetScaler to achieve real backend resource. Two of them are:
   1. MicroVPN Micro VPN is a complete VPN tunnel, but application specific. In a Micro VPN communications protocol most commonly used in XenMobile, NetScaler suffers from the limitation above - lack of capacity peep in an HTTPS session
   2. SecureBrowse :. In SecureBrowse mode, NetScaler down the HTTPS session in two - Customer NetScaler NetScaler and the backend resource server. In this manner, NS has complete visibility of all transactions between the client and the server. Given this, NS is now able to peep inside and see a 401 in. And whenever 401 is seen, NS can replay the user's credentials for SSO
3. There is a third factor that comes into play, which can decide on the capacity of NetScaler SSO -. Supported the auth methods. Each challenge 401 lists auth methods that can be used by the client to perform a user authentication. According auth methods supported by the server, and the auth profiles configured on NetScaler, it may or may not be able to provide SSO. Following single authentication methods are supported on NetScaler
   1. HTTP Basic Authentication NetScaler automatically, as long as SSO to Web applications is activated in the session profile
   2. [ HTTP Digest authentication :. NetScaler automatically, as long as SSO to Web applications is activated in the session profile
   3. NTLM NetScaler automatically, as SSO to Web applications is activated in the session profile
   4. Kerberos Impersonation :. This configuration requires the NS for Kerberos SSO. This is explained here
   5. Kerberos Constrained Delegation :. This configuration requires the NS for Kerberos SSO. This is explained here
   6. SAML authentication :. This configuration requires the NS for SAML SSO as part of policy of traffic. This is explained here
   7. Form Fill Authentication :. This configuration requires the NS, for the form-based SSO as part of policy of traffic. This is explained here.

XenMobile is a global mobility management solution, and the power packed with tons of features. This article attempts to provide guidance on just one of these mechanisms.

Tweet