Mozilla Firefox Extended Support Release (ESR) 45.2, 52.0 single sign-on extension Sept 2017

News

Abstract

This document identifies the supported versions of Mozilla Firefox Extended Support Release (ESR) and provides the procedure for installing the AccessAgent single sign-on extension for Mozilla Firefox ESR.
As of 20 April 2018, this Mozilla Firefox ESR extension is not the latest version available. A newer version is available from http://www-01.ibm.com/support/docview.wss?uid=swg21660003.

Content

Applies to: IBM Security Access Manager for Enterprise Single Sign-On; IBM Security Privileged Identity Manager

You must install the extension so that you can single sign-on to web applications through Mozilla Firefox ESR 45 or 52 (all releases).

Prerequisites
Download package
Install the extension
Verify the installation
Create AccessProfiles for Firefox
Known issues and limitations
Troubleshoot AccessProfiles

Prerequisites

Single sign-on client

AccessAgent 8.2.2 Fix Pack 13 or later
Privileged Access Agent 2.1.0 with Fix Pack 6 or later

Mozilla Firefox ESR

52 (All releases)
45 (All releases)

Download package

Date	Download
29 Sept 2017 Version 8.2.2.0257 (exe, 488 KB)	FirefoxExtension-8.2.2.0257.exe

To download earlier versions of extensions for Firefox ESR 31 and 38, go to Single sign-on support for Mozilla Firefox ESR 31 and 38.

Resolved defects

29 Sept 2017: FirefoxExtension-8.2.2.0257

APAR IV99852
The extension causes Firefox to crash when Access Agent is not installed on the workstation.
Defect
Firefox might fail when the runtime API GetBrowserTopLevelWindow is used multiple times in an AccessProfile.
Defect (IBM Security Privileged Identity Manager users only)
The extension installer log file is not saved in the Access Agent installation folder.

30 June 2017: FirefoxExtension-8.2.2.0256

APAR IV93357
Injection fails if a credential contains escape characters such as \n or \t.
Defect
The extension debugging logs are not displayed in the Firefox Browser Console.

16 August 2016: FirefoxExtension-8.2.2rc1
Initial.

Installing the extension

Before you begin

Download and install Mozilla Firefox ESR 45.2, 52.0, or later.
Install the required AccessAgent or Privileged Access Agent version.

Procedure

Run FirefoxExtension-*.exe. < /br>
The installer assumes that Firefox is installed by default in <Program Files>\Mozilla Firefox.
Important: If Mozilla Firefox is installed in a non-default path or is not in C: drive, (for example: D:\Mozilla Firefox) complete the following steps:
1. Start the command prompt with administrator privileges.
2. Browse to the location of the FirefoxExtension-*.exe.
3. Specify the Firefox non-default installation path as an argument.
  For example: FirefoxExtension-*.exe <custom path>.
To verify that the installation was successful, check the FFExtensioninstaller.log file for any error messages or warnings. The FFExtensioninstaller.log file is stored in <isamesso_aa_installed_location>\logs.

Verifying the installation

In Mozilla Firefox, go to Tools > Add-ons > Extensions. Verify that the IBM Web SSO Extension is displayed and enabled.

Creating AccessProfiles for Mozilla Firefox

To create AccessProfiles for Mozilla Firefox ESR, install the AccessStudio.

Remember: You cannot generate the element signature with Firefox. As a workaround, use Internet Explorer.

Known issues and limitations

In Firefox, the Browser starts navigating form page trigger fires when a Web FORM on the page is submitted.
Access to DOM content inside cross-domain Frames and iFrames is not supported.
The AccessStudio Web Finder tool is not supported on Firefox ESR. To generate the signature, use the Internet Explorer web browser.

Troubleshoot AccessProfiles

Increase the log level for AccessAgent
In the registry editor, browse to HKEY_LOCAL_MACHINE > SOFTWARE > IBM > ISAM ESSO > ECSS > DeploymentOptions.

Increase the value for LogLevel to 3 or 4.
Increase LogFileSize to more than 10240.

Collect logs from the Firefox browser

Open the Firefox browser.
Press Ctrl+Shift+J to open the Browser Console.
Recreate the problem.
In Browser Console, in the Server tab, select all the content, and copy it to a file named FFBrowserConsole.log.
Copy this file to <aa_install_folder>\logs.

If the issue is related to identifying the element, increase LogLevel to 4 to see the XPath Parser logs.

Note: If you are requested by IBM Support, package the logs folder into a file and send the compressed file to IBM Support.

Reviewing the signature from the Firefox browser

Before you review the signature, ensure that you have exported the browser console logs to FFBrowserConsole.log. See Collect logs from the Firefox browser.

For a single sign-on AccessProfile to work successfully, you must find the correct web element signature. The following line is an example of a typical signature:

/child::html/descendent::form/descendent::input[@tag_name="input" and @type="password"]

In the FFBrowserConsole.log, this line indicates that the signature is not found. This line appears in the logs that you collect from the Browser Console.

WebFinder Result: Parse error; xpath = "/child::html/descendent::form/descendent::input[@tag_name=\"input\" and @type=\"password\"]"

To diagnose this problem, follow the steps below:

1. Look for the following line. In this line, the parser starts to look for the signature.

---- PROCESS QUERY STARTS: xpath = /child::html/descendent::form/descendent::input[@tag_name="input" and @type="password"] ----

2. For each step of the XPath, you can see a corresponding set of properties. For example, for the /descendent::form,

---- PARSER INTERNAL STARTS: After getDescendantFormNode ---- _vecCurrentElements = Array ( [0] => { tag: FORM, id: tsf, name: f } ) _State = 0 _currentOperator = 0 _currentPredOperator = 0 _mmCurrentClause = { op: 0, vecNVPairs = Array ( ) } _mmCurrentPredicate = Array ( ) _wsCurrentExprName = _wsCurrentExprValue = _wsAttributeName = _wsAttributeExpr = _wsPostEvalExprValue = _vecAttributes = Array ( ) ---- PARSER INTERNAL ENDS ----

Note the action getDescendantFormNode. This is the action being performed. This action shows which step of the parsing is being run.
_vecCurrentElements is the current set of matches found after running the action. The result of getDescendantFormNode is a FORM with the NAME f and ID tsf

3. For predicates or conditions, such as [@tag_name="input" and @type="password"], look for reducePredicate: @tag_name="input" and @type="password" .

reducePredicate: @tag_name="input" and @type="password" ---- PARSER INTERNAL STARTS: After reducePredicate ---- _vecCurrentElements = Array ( ) _State = 4 _currentOperator = 1 _currentPredOperator = 0 _mmCurrentClause = { op: 0, vecNVPairs = Array ( ) } _mmCurrentPredicate = Array ( ) _wsCurrentExprName = type _wsCurrentExprValue = password _wsAttributeName = _wsAttributeExpr = _wsPostEvalExprValue = _vecAttributes = Array ( ) ---- PARSER INTERNAL ENDS ----

Note that _vecCurrentElements at this point is empty. This implies that no element is found to match this condition.
Review the previous lines on the logs to identify precisely where _vecCurrentElements is set to an empty value. From this information, you can identify the first action that resulted in a no-match.
Check the information provided for the HTML elements that matched the previous action or clause to identify what is missing. For instance, the last log entry with some matches was in getDescendantInputNode.

---- PARSER INTERNAL STARTS: After getDescendantInputNode ---- _vecCurrentElements = Array ( [0] => { tag: FORM, id: tsf, name: f } [1] => { tag: INPUT, name: sclient, type: hidden } [2] => { tag: INPUT, name: site, type: hidden } [3] => { tag: INPUT, name: source, type: hidden } [4] => { tag: INPUT, id: lst-ib, class: gsfi, name: q, type: text } [5] => { tag: INPUT, id: gs_taif0, class: gsfi } [6] => { tag: BUTTON, class: lsb, name: btnG, type: submit } [7] => { tag: INPUT, name: oq, type: hidden } [8] => { tag: INPUT, name: gs_l, type: hidden } [9] => { tag: INPUT, name: pbx, type: hidden } ) _State = 0 _currentOperator = 0 _currentPredOperator = 0 _mmCurrentClause = { op: 0, vecNVPairs = Array ( ) } _mmCurrentPredicate = Array ( ) _wsCurrentExprName = _wsCurrentExprValue = _wsAttributeName = _wsAttributeExpr = _wsPostEvalExprValue = _vecAttributes = Array ( ) ---- PARSER INTERNAL ENDS ----

Note that in the list of matched elements, none of the INPUT fields found has a type called password causing the condition to fail.

You can use the approach described in this example as an alternative to opening the HTML source. Opening the HTML source can be misleading because of the quirks in the browser.

Tip: Blocks for reduceExprName, setOperator, reduceExprValue and postEvalExprValue can be usually ignored.

Revision history

Date	Description
29 September 2017	Updated with Firefox extension 8.2.2.0257.
30 June 2017	Updated with Firefox extension 8.2.2.0256.
7 April 2017	Updated for Firefox ESR 52.
16 August 2016	Initial version for Firefox ESR 45 and AccessAgent 8.2.2 with fix pack 9.

Related Information

Extensions

[{"Product":{"code":"SS9JLE","label":"IBM Security Access Manager for Enterprise Single Sign-On"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"AccessAgent","Platform":[{"code":"PF033","label":"Windows"}],"Version":"8.2.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSRQBP","label":"IBM Security Privileged Identity Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"2.0.2;2.1.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips