Layer7 Access Management

Tech Tip : CA Single Sign-On :: Web Agent::How to restrict user from using login.fcc directly

By Ujwol posted 02-13-2018 07:00 PM

  

Introduction

 

If you are using custom login page, you may want to restrict the user from acccessing the OOTB login.fcc URL

http://<FQDN>/siteminderagent/forms/login.fcc 

This blog will guide you on how to achieve this.

 

Environment

  • Policy Server : ANY
  • Web Agent : 12.5 and above

Instructions

It is not possible to completely restrict the access to login.fcc as it needs to be unprotected resource and also needed as the custom login page needs to post to this.


However, what you can do is modify the login.fcc such that it will have only the bare minimum required content enough for the POST request but not not enough for GET requests (direct access)

 

If you are using login.fcc ONLY for POST request then it is sufficient to have just the following content in it. (The error message is optional off-course)

<!-- SiteMinder Encoding=UTF-8; -->
@username=%USER%
@smretries=0

<b><font size="5" color="red">DO NOT USE THIS PAGE DIRECTLY !</font></b>

 

Please note : 

  • If ACO parameter localization=no, the default login.fcc used is : 

<webagent_install_directory>\samples\forms\login.fcc

  • If ACO parameter localization=yes, the default login.fcc used is : 

<webagent_install_directory>\samples\forms_<locale>\login_<locale>.fcc

e.g. for en-US locale it would be :

<webagent_install_directory>\samples\forms_en-US\login_en-US.fcc

 

TESTING:

1. Direct access : 

2. Custom login page still works :

Attached : Fiddler

 

Addtional References :

Custom Login Page 

3 comments
1 view

Comments

02-15-2018 06:59 AM

Thanks

02-15-2018 06:55 AM

It doesn’t matter much. However, I do like to keep it alongside other fccs.

02-15-2018 06:53 AM

Hi Ujwol, just minor query, which is the best place to keep this custom login.fcc, although it worked by keeping it anywhere in the web server but a nominal suggestion from your end please.