Friday, September 13, 2013

OpenAM with HOTP and OATH and Microsoft SharePoint

If Microsoft SharePoint is integrated with OpenAM, we know that the Password Replay feature is required. 

There are numerous links on how to achieve Single Sign-On between OpenAM and SharePoint server:

Another thing to note is that Authentication Chaining (e.g. AD followed by OATH) will break the Password Replay support.

This is because the password from the AD module is not carried over to OATH module. And thus the OATH module cannot pass over the password to the Password Relay Post Authentication Processing module. 

You'll get a HTTP 403: Forbidden error when trying to access a SharePoint page.

There is a workaround though. 

Step 1: Do not use Authentication Chaining

Step 2: In each HOTP and/or OATH module, set the Authentication Level to higher than 0. e.g. 10

Step 3: Create a Condition - Authentication Level in the SharePoint Policies. 

Step 4: Set the Authentication Level to 10.

Now, of course, this implies all policies have to be configured the same.


No comments:

Post a Comment