I have a requirement to disable or hide SMTOKEN is being passed in smpwservices.fcc page. I want to hide like USERNAME. Any help would be really appreciated?
Remove the Login ID When Redirecting for Password Services
During password services processing, a user request is redirected multiple times. When the request is redirected, the login ID (typically the username) which was entered by the user is appended to the request URL by default. To modify the default behavior so that the login ID (username) is not appended to redirects, you can do one of the following procedures.
To remove the login ID when redirecting for password services in Windows
Add the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer\DisallowUsernameInURLSet the DWORD value to one of the following values:0 — Applies the default behavior of appending the UID to the request URL.1 — Changes the default behavior so that the UID is not appended to the request URL.To remove the login ID when redirecting for password services in UNIX
policy-server-install-dir/registry/In a text editor, open the following file:
sm.registryAdd the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer=(#number)\DisallowUsernameInURLSet the DWORD value to one of the following values:0 — Applies the default behavior of appending the UID to the request URL.1 — Changes the default behavior so that the UID is not appended to the request URL.
I am aware of this and implemented this for User ID. I want to know it for SMTOKEN.
Could you please tell me how to hide SMTOKEN passing in URL?
Unfortunately, there is no setting to just hide SMTOKEN from URL.
If it works for you , you can try using SecureURLs=yes
Encrypt Query String Parameters in Redirection URLs - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
Thanks Ujwol and Leo.
Yeah we can use but however SMTOKEN value is already encoded so if we use SecureURL also the values will be in encoded format only.
These values can be reversed by others so that's why I was checking the possibilities to hide those values being passed in smpwservice.fcc page.
First of all, if you use SecureUrls , all the query string will be ENCRYPTED (and not just encoded). Agent Keys are utilized to encrypt the query string. So even if someone gets the encrypted querydata, it is virtually impossible for them to be able to decyrpt it.
Now, coming to SMTOKEN it is also not just encoded but also encrypted (possibly with persistent key ) Moreover, the SMTOKEN just contains the ticket number which identifies the current session and doesnt' hold any other sensitive user information. Again, even if someone is able to access it , they can't decrypt it.
Thank you much Ujwol!
It would be great if you could provide me the link to check about SMTOKEN information as i was not able to find any information in internet related to this.