×

IDMWORKS Blog

Enterprise SSO for Smarties: Tackling Hybrid Applications


A common scenario, especially for web applications hosted on a Microsoft infrastructure, is that the login screen is written in one technology but the password change process takes place using another. This is often referred to as a Hybrid Application. There are several types that you might run into but the solution is basically the same.

One of the greatest things about the explosion of client side web technologies is the wealth of new ways for web developers to create compelling user experiences. From Ajax based toolkits like Google Web Toolkit and ExtJS to rich client platforms like Flash and Java. It seems like there are 100 different ways to accomplish anything. This can be great for the developers but it can be a real headache for eSSO solutions that try to target those GUIs for credential injection. A common scenario, especially for web applications hosted on a Microsoft infrastructure, is that the login screen is written in one technology but the password change process takes place using another. This is often referred to as a Hybrid Application. There are several types that you might run into but the solution is basically the same.

The problem with attacking these applications head on is how to integrate these different technologies into a coherent and seamless user experience. Most, if not all, eSSO provders (Oracle/Passlogix, Citrix, Imprivata) require you to create some kind of profile (or template) that contains the information that the eSSO agent can use to properly handle credential injection (the application’s name, what’s in the titlebar, what the various controls for UserID and Password are called, etc.). They also need to know what type of application to looking for (Windows, web, Java, etc.). And therein lies the rub. Each profile can only look for 1 TYPE of application. Sure, a single profile can handle the several SCREENS an application might throw at it, but they have to be of the same type.

To make this work you need to create two separate profiles.

One for the login screen based on its type (a nifty Java applet perhaps), and another for the password change dialog process, maybe a nice simple web page. After creating and testing the two templates individually you then link the two together.

What they’re called depends on the eSSO product that you are using but they all have some facility to group applications that share a common credential. In this case we’re using this handy little feature to keep two different functions of the same application in sync. Credential changes made using profile targeting one application type are automatically cascaded into the credential submission profile even though its a different underlying technology.

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *