Layer7 Access Management

Expand all | Collapse all

How to disable or hide SMTOKEN is being passed in smpwservices.fcc page?

Jump to Best Answer
  • 1.  How to disable or hide SMTOKEN is being passed in smpwservices.fcc page?

    Posted 10-14-2017 07:43 PM

    I have a requirement to disable or hide SMTOKEN is being passed in smpwservices.fcc page. I want to hide like USERNAME. Any help would be really appreciated?



  • 2.  Re: How to disable or hide SMTOKEN is being passed in smpwservices.fcc page?

    Posted 10-14-2017 10:48 PM

    Hi Kannan,

     

    Remove the Login ID When Redirecting for Password Services

     

    During password services processing, a user request is redirected multiple times. When the request is redirected, the login ID (typically the username) which was entered by the user is appended to the request URL by default. To modify the default behavior so that the login ID (username) is not appended to redirects, you can do one of the following procedures.

    To remove the login ID when redirecting for password services in Windows

    Add the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer\DisallowUsernameInURL
    Set the DWORD value to one of the following values:
    0 — Applies the default behavior of appending the UID to the request URL.
    1 — Changes the default behavior so that the UID is not appended to the request URL.
    To remove the login ID when redirecting for password services in UNIX

    Navigate to:

    policy-server-install-dir/registry/
    In a text editor, open the following file:

    sm.registry
    Add the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer=(#number)\DisallowUsernameInURL
    Set the DWORD value to one of the following values:
    0 — Applies the default behavior of appending the UID to the request URL.
    1 — Changes the default behavior so that the UID is not appended to the request URL.

    Refer :

     

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/password-services-and-policies/how-to-configure-password-policies

     

    Regards,
    Leo Joseph.



  • 3.  Re: How to disable or hide SMTOKEN is being passed in smpwservices.fcc page?

    Posted 10-16-2017 08:59 PM

    Hello Leo,

     

    I am aware of this and implemented this for User ID. I want to know it for SMTOKEN.

     

    Could you please tell me how to hide SMTOKEN passing in URL?



  • 4.  Re: How to disable or hide SMTOKEN is being passed in smpwservices.fcc page?

    Posted 10-16-2017 09:11 PM

    Unfortunately, there is no setting to just hide SMTOKEN  from URL.

    If it works for you , you can try using SecureURLs=yes

    Encrypt Query String Parameters in Redirection URLs - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 



  • 5.  Re: How to disable or hide SMTOKEN is being passed in smpwservices.fcc page?

    Posted 10-16-2017 10:47 PM

    Thanks Ujwol and Leo.

     

    Yeah we can use but however SMTOKEN value  is already encoded so if we use SecureURL also the values will be in encoded format only.

     

    These values can be reversed by others so that's why I was checking the possibilities to hide those values being passed in smpwservice.fcc page.



  • 6.  Re: How to disable or hide SMTOKEN is being passed in smpwservices.fcc page?
    Best Answer

    Posted 10-16-2017 11:02 PM

    Hi Jayaram,

     

    First of all, if you use SecureUrls , all the query string will be ENCRYPTED (and not just encoded). Agent Keys are utilized to encrypt the query string. So even if someone gets the encrypted querydata, it is virtually impossible for them to be able to decyrpt it.

     

    Now, coming to SMTOKEN it is also not just encoded but also encrypted (possibly with persistent key ) Moreover, the SMTOKEN just contains the ticket number which identifies the current session and doesnt' hold any other sensitive user information. Again, even if someone is able to access it , they can't decrypt it.

     

    Regards,

    Ujwol



  • 7.  Re: How to disable or hide SMTOKEN is being passed in smpwservices.fcc page?

    Posted 10-17-2017 12:54 AM

    Thank you much Ujwol!

    It would be great if you could provide me the link to check about SMTOKEN information as i was not able to find any information in internet related to this.