How to enable RSA SecurID Browser Plug-In for APM
We are currently installing an Edge Gateway in our network and we use RSA Soft Tokens for authentication. We were looking for the browser plug-in option like there is on the firepass device and couldn't find it. I have summited an RFE for this but we needed a work around quick. I have listed the steps below to integrate the browser plug-in into the Edge. This will work if you are using the "password" field as your token code input. If you are trying to do 2 factor auth using and AD or LDAP password also then you will need to modify this code. If you need help please message me.
- Login to the management UI and navigate to “Access Policy” -> “Customization”.
- Change the view of the editor to “Advanced”.
- Navigate to your logon page include file. My file was located at “Access Profiles/Common/<profile name>/Macros/Logon Page and Auth/Logon Pages/Logon Page” and there should be a logon.inc file. Your location may vary depending on where the logon page is in your policy. This instance the logon page is in a Macro called “Logon Page and Auth”.
- Add the following code to the logon.inc file. The code to replace will be in the part where the code prints the input tags in the HTML (this was on line 386 for me). Be careful because there are two lines that look the same. I am updating the first line because my configuration prints the input box below the label not on the same line. If you print on the same line you will replace the second instance of this code.
REPLACE THIS CODE:
<input type=<? print( $field_settings["type"] ); ?> name=<? print( $field_settings["name"] ); ?> class="credentials_input_<? print( $field_settings["type"] ); print( $_disabled ) ?>" <? print( $disabled ); ?> value="<? print( $field_settings["value"] ); ?>" id="<? print( "input_{$id}" ); ?>" autocomplete="off" autocapitalize="off">
WITH THIS CODE:
<? if( $field_settings["name"] == "password" ) { ?>
<input type="<? print( $field_settings["type"] ); ?>" name="<? print( $field_settings["name"] ); ?>" class="credentials_input_<? print( $field_settings["type"] ); print( $_disabled ) ?>" <? print( $disabled ); ?> value="<? print( $field_settings["value"] ); ?>" id="<? print( "input_{$id}" );?>" onfocus="querySoftToken();" autocomplete="off" autocapitalize="off">
<? } else { ?>
<input type="<? print( $field_settings["type"] ); ?>" name="<? print( $field_settings["name"] ); ?>" class="credentials_input_<? print( $field_settings["type"] ); print( $_disabled ) ?>" <? print( $disabled ); ?> value="<? print( $field_settings["value"] ); ?>" id="<? print( "input_{$id}" );?>" autocomplete="off" autocapitalize="off">
<? } ?>
- Now we need to add a few more things to make this work.
The following code needs to be added around line 134… I added mine above the “getFormCompatibility()” function.
//Add compatability for using the RSA Token with the browser.
function querySoftToken()
{
if(typeof(document.sdui.sdAuth) == "undefined")
return;
var form = document.getElementById( globalFormId );
var date = new Date();
var time = Math.round(date.getTime()/1000);
var user = form.username.value;
var state = 0;
var systempin, pin_min, pin_max, pin_type, pin_mode, rsa_status, e;
if(form.rsa_pin != null) {
systempin = form.rsa_pin.value;
} else {
systempin = 0;
}
if (form.rsa_status == null) {
rsa_status = "99";
} else {
rsa_status = form.rsa_status.value;
}
switch(rsa_status) {
case "6": // 6 = next tokencode
if (typeof(document.sdui.sdNext) != "undefined" && document.sdui.sdNext() == 1 ) {
form.password.value = document.sdui.getNext();
form.username.value = document.sdui.getUsername();
break;
} else return;
case "7": // user must select pin or use system pin
case "9": // user must select pin
pin_min = form.rsapin_min.value;
pin_max = form.rsapin_max.value;
if (form.rsapin_type.value == 0)
pin_type = 1; // alnum
else
pin_type = 0; // num
if (rsa_status == 7)
pin_mode = 1;
else
pin_mode = 2;
if (typeof(document.sdui.sdPin) != "undefined"
&& document.sdui.sdPin(pin_min, pin_max, pin_mode, pin_type, systempin) == 1) {
form.password.value = document.sdui.getPin();
form.rsaChallenge.value = form.password.value;
break;
} else {
form.password.value = "cancel_new_pin_mode";
form.rsaChallenge.value = form.password.value;
break;
}
case "8": // user must use system PIN
if (typeof(document.sdui.sdPin) != "undefined" && document.sdui.sdPin(0, 0, 0, 0, systempin) == 1) {
form.password.value = systempin;
form.rsaChallenge.value = systempin;
break;
} else {
form.password.value = "cancel_new_pin_mode";
form.rsaChallenge.value = form.password.value;
break;
}
case "10": // pin accepted, next passcode
if (document.sdui.sdAuth(time, user, state) == 1) {
form.username.value = document.sdui.getUsername();
form.password.value = document.sdui.getNext();
break;
} else window.location='/my.logon.php3';
case "99": // initial logon page (no status yet)
default: // access denied, pin rejected, etc.
if (document.sdui.sdAuth(time, user, state) == 1) {
form.username.value = document.sdui.getUsername();
form.password.value = document.sdui.getPasscode();
break;
} else return;
}
if (form.login != null) form.login.disabled=1;
e = document.createElement("input");
e.setAttribute("name", "rsa_soft_token");
e.setAttribute("type", "hidden");
e.setAttribute("value","on");
form.appendChild(e);
form.submit();
}
- Last thing to add will be the reference to the object. I added this on line 96 just below the link reference to the apm.css stylesheet.
<object hidden="true" name="sdui" id="sdui" classid="clsid:99548BB4-F895-11D0-93CA-00A024D1214D"></object>
- Now you have to apply your access policy.
If you have installed a newer version of the Soft Token you need to make sure to do a custom install and select the browser plugin option. This only works in IE.
Seth Cooper
