Case of the Triple Single Sign On Sign On Sign On

A customer still in Windows XP land was also still suffering along with IE6 … and with final mitigating issues preventing upgrade out of the way – off they went, on their merry way, to the wonderful modern world of IE8 … (relatively speaking…)

With every corporate legacy web app working wonderfully… except integration with their single sign on solution – Novell SecureLogin. They had to upgrade their product to be IE8 compatible (http://www.novell.com/media/content/simplifying-sso-with-novell-securelogin-7.html)

And they did.

And it worked.

On every single web app.

Except for one single web page – where the username was “tripled” It looked something like this (but imagine it’s WinXP)image

The problem was users had used single sign on for so many years they didn’t know their actual passwords.

Now there was a tendency to immediately blame IE8 as the culprit as IE8 had just been upgraded. But that’s not really fair as two products had been upgraded – IE8 & SSO.

In fact you could prove SSO caused the problem by reverting to IE6 but maintaining the new version of SSO – the triple single sign on issue still occurred.

Interestingly this issue did not occur on ANY other web page that was tested.

The SSO tool provides a wizard to setup websites – as a test I removed the username/password stored for this web page in the SSO administration tool. When browsing to the website Novell’s SSO IE Add-On correctly opened a dialog box to prompt for the web site’s credentials, to put away in the SSO database. However it didn’t only open 1 dialog box – it immediately opened 4 dialog boxes exactly over top of each other. You only knew there was four by moving them away from each other…

image

So I went into the HTML source of the page to look for anything suspicious. I first noticed it contained invalid HTML such as :

  • align=”middle” was used, should be align=”center”
  • valign=”centre” was used, should be valign=”middle”
  • <tr> specifies colspan=”2″ this is invalid, only valid for <td>

However that seemed unlikely to break anything…then looking deeper I noticed the username, password and logon  button were all contained within their own <form></form>

<table> <tbody>

                  <tr>

                    <td>

                      <font color=”black”>User Name:</font>

                    </td>

                  </tr>

                  <tr>

                    <td>

                      <form onsubmit=”return verifyFieldandProceed(‘un’);” method=”post” name=”usernameForm”>

                        <input size=”40″ name=”un”>

                      </form>

                    </td>

                  </tr>

                  <tr>

                    <td>

                      <font color=”black”>Password:</font>

                    </td>

                  </tr>

                  <tr>

                    <td>

                      <form onsubmit=”return verifyFieldandProceed(‘pw’);” method=”post” name=”passwordForm”>

                        <input size=”40″ type=”password” name=”pw”>

                      </form>

                    </td>

                  </tr>

                  <tr colspan=”2″>

                    <td align=”right”>

                      <form onsubmit=”return verifyFieldandProceed(‘all’);” method=”post” name=”buttonForm”>

                        <input value=”Logon” type=”submit”>

                      </form>

                    </td>

                  </tr>

                </tbody>

            </table>

(note: in above code final <form></form> with post and hidden input fields are not shown…)

      I modified the page for testing:

      • ·         Consolidated all forms into a single form
      • ·         Updated relevant JavaScript to use the new single form

      The form now looked like this:

      <form method=”post” onsubmit=”return verifyFieldandProceed(‘all’);” name=”loginForm” action=”http://localhost/userinfo/logon target=”_parent” id=”loginForm”>

              <table border=”0″ width=”80%”>

                <tbody>

                  <tr>

                    <td height=”80%” valign=”middle” align=”center”>

                      <table>

                        <tbody>

                          <tr>

                            <td>

                              <font color=”black”>User Name:</font>

                            </td>

                          </tr>

                          <tr>

                            <td>

                              <input size=”40″ name=”un”>

                            </td>

                          </tr>

                          <tr>

                            <td>

                              <font color=”black”>Password:</font>

                            </td>

                          </tr>

                          <tr>

                            <td>

                              <input size=”40″ type=”password” name=”pw”>

                            </td>

                          </tr>

                          <tr>

                            <td align=”right” colspan=”2″>

                              <input value=”Logon” type=”submit”>

                            </td>

                          </tr>

                        </tbody>

                      </table>

                    </td>

                  </tr>

                 <tr>

                    <td height=”15%” valign=”bottom” align=”center”>

                      <table>

                        <tbody>

                          <tr>

                            <td class=”copyright” align=”center”>

                              Copyright © Oracle Corporation, 2001<br>

                              Minimum requirements: Netscape 4.06/MSIE 4.0 browser with JavaScript enabled, 800×600 display.

                            </td>

                          </tr>

                        </tbody>

                      </table>

                    </td>

                  </tr>

                </tbody>

              </table><input type=”hidden” name=”UserName”> <input type=”hidden” name=”Password”>

            </form>

      And Voila! The logon page worked. The problem was the new SSO got tricked by the multiple <form></form> tags on the logon page.

      The temporary workaround was to distribute this local HTML file, until either the web app could be fixed, or Novell SSO could be updated. The local HTML file would automatically kick off the SSO process, and post credentials to the actual web server.

      About chentiangemalc

      specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
      This entry was posted in Application Compatibility, Internet Explorer and tagged . Bookmark the permalink.

      One Response to Case of the Triple Single Sign On Sign On Sign On

      1. “Case of the Triple Single Sign On Sign On Sign On | chentiangemalc” was a fantastic blog post and I ended up being pretty satisfied to discover the blog.
        Thanks a lot-Catalina

      Leave a Reply

      Fill in your details below or click an icon to log in:

      WordPress.com Logo

      You are commenting using your WordPress.com account. Log Out / Change )

      Twitter picture

      You are commenting using your Twitter account. Log Out / Change )

      Facebook photo

      You are commenting using your Facebook account. Log Out / Change )

      Google+ photo

      You are commenting using your Google+ account. Log Out / Change )

      Connecting to %s