Publishing internet web site through UAG – part 3

Published 30 December 10 04:31 PM | forefrontsecurity


Previously, on Forefront Security at MyItForum :

In this part, I want to introduce the custom Repository concept.

4. Custom Repository

In order to provide SSO mechanism, we have to select an authentication repository during application creation. There is a list of available repository (Active Directory, ADFS v2.0, LDAP …). But when the application has a custom directory, we have to create all the function to authenticate the user.

To do that, we create a custom repository. Previously, we named this repository “microsoftonline”. For the moment, it’s nothing than a word. For our project, we want to store BPOS credentials. We have chosen to use a SQL database. Our repository should :

  • Check that the user exist in the database
    • If the user exist, get the credentials
    • Else, add the credentials in the database

To summarize, here is the global mechanisms for the complete authentication :

  • on the left : functional mechanism
  • on the right : technical mechanism


4.1 Activation and features

In the wizard, you can define a custom repository, for example : microsoftonline


Then, copy the sample from \InternalSite\samples to \InternalSite\inc\CustomUpdate, and rename it ""

Is this sample files, there are 5 functions :

  • CheckCredentials (user_name, password): check that the credentials provided by the user are compliant with the repository strategy
  • AuthenticateRepositoryUser(repository,user_name,password) : After the previous check, authenticate the user. You have to write your own procedures.
  • CheckChallenge (challenge) : If you want to add a custom challenge (PIN, passphrase …), check that the challenge is compliant
  • ContinueAuthenticateRepositoryUser(repository,handle,challenge,challenge_code) : After the challenge check, verify that the challenge is successful. You have to write your own procedures
  • ChangeRepositoryUserPassword(repository,user_name,password,new_password) : This function is used to change userPassword in the repository after a reset

For more information about user-defined repository, have a look on the TechNet site :

And Andy’s Blog :

4.2 SQL database

We have chosen to use a SQL database. Below is the format of the table :


4.3 PostPostValidation

4.3.1 UAG SSO mechanism

When you active SSO with a repository

4.3.2 Get the Lead User

When an user open a session on the portal, his session account is stored into UAG. We need to get this accountname to make the search in the database. This accountname is named LeadUser.

We use the following code to do that :


There are other method to do that, but I have experienced some trouble with GetSessionLeadUser(g_cookie) for example.

4.3.3 Add Secondary credentials in user session cookie

After the portal logon, we want to associate the secondary logon credentials for BPOS in the user session cookie. Here is the method :

  • Create a file in the InternalSite\inc\CustomUpdate folder. The name of the file is <trunkName><0/1> In my case, it’s because the name of the trunk is portal and it’s an HTTPs trunk
  • Add the following information :
    • Get Lead User
    • Connect to the SQL Database and get secondary credentials :


    • For each secondary credentials, add a user session


4.4 User-Defined Repository Configuration

During the first logon on the BPOS portal, we want to catch the credentials of the user. We are doing that in the file :


4.5 Cinematic

For the example, I have :

  • 1 Active Directory Account : James Kirk
  • 1 BPOS account :
  • 1 UAG portal address : portal.uag.lab
  • 1 custom repository microsoftonline
  • 1 published application : Microsoft Online

PS : password are not encrypted in the database. We will see that later.

4.5.1 First Logon

  • Logon on the UAG Portal with “ADFS authen” (user jkirk)


  • Open the Microsoft Online App. We have the microsoftonline repository logon form.


  • Provide user credentials and click “open a session”. The BPOS Form appears.


  • On the UAG side, in the database, we can find the following entry :


4.5.2 Second Logon

  • Logon on the UAG Portal with “ADFS authen” (user jkirk)


  • On the UAG Side, open the Monitor Web Page, and have a look at the user session. The credentials for the Microsoft Online Application are loaded


  • When you attempt to open the Microsoft Online Application, logon on the custom repository is transparent. SSO works fine.


Published by Olivier DETILLEUX

Next Step : Publishing internet web site through UAG – part 4 – Custom Formlogin and AutoSubmit


# TrackBack said on August 22, 2011 04:30 PM:

This Blog


    We talk about Forefront Unified Access Gateway, Web SSO, DirectAccess, Threat Management Gateway, Identity Manager and other Forefront Technologies. Also, some post about Active Directory and other Identity and Access technos.