This technical note explains how to create Reflection for the Web sign-on macros for use with Passlogix v-GO SSO.
Note: For information about single sign-on macros using the Express Logon Feature (ELF), which uses RACF on the IBM host, see Technical Note 1865.
Reflection for the Web includes support for single sign-on macros, including Express Logon macros for users of IBM 3270 sessions.
Single sign-on to the host takes advantage of macros that you record as part of terminal session setup. In contrast to regular macros, which record and play back just one sequence of events, single sign-on macros let you create a collection of macros that combine to handle a variety of logon scenarios, such as a:
By recording a collection of macros, you create a tree-like structure with different branches that the macro system can follow as it plays back the macro and encounters different host screens. When the macro successfully completes playing, the credentials are stored in the Passlogix credential store and subsequent launches of the same session retrieve and play back the saved values.
The following steps show how to record the first macro of your single sign-on collection. In this example, some steps are similar to those used for an IBM mainframe (for example, the use of fields), but you may use other host types, which are generally similar.
Note: Only an administrator can create single sign-on macros for a terminal session, and only while creating or editing the session in the Administrative WebStation.
To record your first single sign-on macro:
Note: When entering data into host fields, if the cursor does not automatically move to the next required field, use the Tab key to move to the field.
Each prompt that you responded to when recording the macro is shown on a separate row in the top half of the dialog box. You cannot directly edit these rows; instead, select a row and change the settings in the lower half of the dialog box to update the display.
The following options are used when working with v-GO:
Always prompt user for value: This setting causes the macro to always prompt the user for a response. It will always be used to prompt for the user ID and password and to handle an expired password.
Prompt text: Provides the prompt text for macro rows that always prompt the user for a value. It is recommended that you use a unique string in this field, since Passlogix will use it as a key to differentiate this dialog from other dialogs.
Embed fixed user response in macro: This transmits the literal string entered during the recording process to the host. If data is constant and never changes, leave this setting as it is recorded.
Note: The macro is not fully saved until you save and exit the session. If you discard the session without saving it, any recorded macros that have not been saved previously are discarded as well.
For a new sessionClick Map session access, assign the appropriate access to users for this session, and then click Save Settings.
For an existing sessionClick Save Settings. Click Access Mapper in the left-navigation menu, assign the appropriate access to users for this session, and then click Save Settings again.
Setup Passlogix v-GO to recognize the username and password dialog boxes. If you need help configuring Passlogix, contact Oracle Customer Support: http://www.oracle.com/us/corporate/Acquisitions/passlogix/support-189442.html.
To test your first single sign-on macro:
After the session launches, the macro begins to play. Single sign-on macros always play at session startup, before any other startup macros and they do not appear in the Play Macro dialog box.
Note: During the playback of the sign-on macro. If you have setup v-GO to interface with the user ID and password dialog correctly, v-GO will prompt for the user ID and Password, and will then automatically enter the values in the user ID and password dialogs.
This time when the single sign-on macro plays, the saved credentials should be inserted automatically and no prompts should appear.
If playback was not successful, or if you want to change the prompts or other settings for the macro, follow these steps:
You may not be able to edit some macro changes from the Edit dialog box. If this occurs, delete and re-record the macro sequence.
To handle situations beyond a simple successful logon, record additional single sign-on macros for your single sign-on macro collection. All single sign-on macros recorded in the same terminal session are automatically added to that session's collection.
To prevent a failed logon, you can record a second macro that handles expired passwords. An incorrect password sent to the host typically results in a prompt that differs from the one received after a correct password. By creating a second macro that records this alternate sequence, the macro playback system can proceed down a different branch when it encounters the failure prompt.
To create an expired password sequence, access your directory services system and expire the password of your test user. Then, follow the steps below to record a second macro for your single sign-on collection. When prompted, enter the test user name and expired password, respond to the system prompt to enter a new password and continue recording login steps as needed.
The following diagram shows the process of two single sign-on macros to an IBM mainframe:
Figure 1: Single Sign-On Macros
In the diagram above, the first two steps for each sequence are identical, but the paths branch at step 3. In this example, steps 4 and 5 of Branch B prompt the user for input and save the responses as the values for future iterations of steps 1 and 2.
With this configuration, the next time the macro runs, the correct values will be transmitted in steps 1 and 2, and the macro will complete successfully down Branch A.
To record each additional macro for a single sign-on collection:
Note: When creating the second macro, you must re-record any steps that are the same as the existing macro(s) in the collection associated with this terminal session. Remember, you are creating a tree-like structure with different branches for the different host logon sequences. If part of the tree is common to more than one macro sequence, those steps are duplicated in each macro.
Consider the following when resolving single sign-on macro conflicts: