SecurID^® Discussions

JeffWeyant · ‎2016-07-22

How can I pass RSA credentials (from our own 'login' page) along with a POST to a REST service, so that the return is the REST data, rather than the challenge RSA login page.

jeffshurtliff · ‎2016-07-22

Hi Jeff,

I have moved this discussion to the RSA SecurID Suite" data-type="space page so that you can get an answer to your question.

Thanks,

Jeff

TedBarbour · ‎2016-07-22

Hi Jeff - could you provide a diagram or further explanation of your goal?

JeffWeyant · ‎2016-07-23

Sure.

I'm building a mobile application that calls a REST service that sits

behind our firewall (Bluecoat/RSA), that will pull data onto the device.

On iOS devices, there is no issue, as we've created the following process:

1) A WebView control (basically a browser window within our mobile app)

calls a 'confirmation' page we've built, also behind the firewall. The

RSA credentials have not yet been verified, so the RSA login page is

presented within the WebView control.

2) The user enters their RSA token credentials. The credentials are

validated, and the user is presented with our confirmation page.

3) User taps a 'Continue Download' button, which sends the POST request to

our REST service, and the data is returned to the device.

The issue is that with Android, the RSA validation does NOT persist

outside of the WebView control (a limitation of Android), so in step 3,

the device is not seen as having its RSA credentials validated (since the

POST to the REST service is outside of the WebView control). The result

is that instead of the REST data, we get the HTML text of the RSA login

page.

What I'm hoping to do is create my own window with the RSA login fields,

have the user enter them on the device, and have them sent WITH the POST

to the REST service, (using PROXY_SG_USERNAME and PROXY_SG_PASSWORD

parameters somehow?) so they can be validated, and have the REST service

data returned in one shot, (bypassing the need to have the WebView

control).

Thanks,

Jeff

Jeff Weyant l FLUOR l Senior Software Applications Specialist l

Application Management Services – Distributed Systems l

jeff.weyant@fluor.com l IODC 30.6132 | O 949.349.6132

FLUOR ENTERPRISES, INC. l 3 Polaris Way, Aliso Viejo, CA 92698

JeffWeyant · ‎2016-08-01

Ted,

Did I present enough information? Is this something you can give us some direction/guidance on?

TedBarbour · ‎2016-08-01

Hi Jeff - thanks for providing additional detail but I'm probably not the right person to help you with your Android question.

If the RSA agent doesn't see a valid cookie when your app sends the POST data then it is going to (re)ask for authentication credentials.

JeffWeyant · ‎2016-08-02

Ted,

I do notice on the challenge page the ACTION has a long querystring

variable for bcfru . It looks to be an encrypted string. Is this related

to the cookie that would be placed on the device?

Jeff

Jeff Weyant l FLUOR l Senior Software Applications Specialist l

Application Management Services – Distributed Systems l

jeff.weyant@fluor.com l IODC 30.6132 | O 949.349.6132

FLUOR ENTERPRISES, INC. l 3 Polaris Way, Aliso Viejo, CA 92698

MohamedAboElKhe · ‎2016-08-09

Hi Jeff,

I am not sure I fully understand your requirement. But I believe AMIS (provided with AM Prime) comes with a REST API that can be used for authentication.

For examples the request would look something like:

# curl -X POST -H "Content-Type: application/xml" -d '<Authentication type="token"><token userID="<USER_ID>" passcode="<PASSCODE>" /></Authentication>' "http://<AMIS_SERVER_IP>:8080/auth/authn"

e.g.:
# curl -X POST -H "Content-Type: application/xml" -d '<Authentication type="token"><token userID="tester" passcode="1234" /></Authentication>' "http://192.168.2.84:8080/auth/authn"

And the response would look like:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<authenticationResult>
<authenticated>true</authenticated>
<authenticationToken>46423633</authenticationToken>
<code>0</code>
<failed>false</failed>
<hasQuestions>false</hasQuestions>
<message>ACCESS_OK</message>
<publicID>tester/token/ffaff3f9-2a6b-43d0-bf94-b943af006fe9</publicID>
</authenticationResult>

Please let me know if this answers your questions.

JeffWeyant · ‎2016-08-09

Mohamed,

The issue isn't in trying to get the credentials validated, it's trying to

get the to the REST service (and return data) that sits behind RSA. Seems

to me there are two options:

1) Send a request to the REST service. The device is not validated, so

the user is presented with the RSA login page. The user enters their

credentials. Now that they are validated, send another request to the

REST service. The issue with this method is that on Android devices, the

device is not seen as validated after the login page is called and the

credentials validated. Unless there is some way to 'tell' the request to

the request to the REST service that validation has already taken place.

Is there something usable on the RSA login page that can be used to send

along with the request to the REST service to tell it that it has already

been validated, so we are not presented with the RSA login page again?

2) Create our own login page where the user can enter their RSA token

credentials themselves, and pass them along with the request to the REST

service. Is there a way to utilize these (passing as PROXY_SG_USERNAME,

PROXY_SG_PASSWORD and some other parameter perhaps?) so that when RSA sees

the request, it lets it through, instead of sending back the RSA login

page?

Jeff

Jeff Weyant l FLUOR l Senior Software Applications Specialist l

Application Management Services – Distributed Systems l

jeff.weyant@fluor.com l IODC 30.6132 | O 949.349.6132

FLUOR ENTERPRISES, INC. l 3 Polaris Way, Aliso Viejo, CA 92698

SecurID® Discussions

How can I pass credentials with a POST

SecurID^® Discussions