Symantec Access Management

Hi,
Currently we don't have any responses setup in our Siteminder environment. We want set responses back to the user telling what was wrong like User name Wrong, Password Wrong, Group membership missing ( Authorization ) instead of keep bringing a login page again and again.

Here what I did so far :

1) Created Test Relam > Created Test-Rule under Relam >
2) Created Unauthorized-Ruleand selected Webagent actions Authorization and onAccessReject
3) Created response “ WebAgent-onReject-Redirect” and selected Static Attribute Kind Variable Value “/siteminderagent/forms/loginunauthorized.fcc”
4) Created Test Policy added Group, Added Test-Rule and Unauthorized-Rule
5) Response “WebAgent-onReject-Redirect “ Added to Unauthorized-Rule.

I am not a member of the group, when I try to login it should redirect me to the page loginunauthorized.fcc but it redirecting me, Please suggest me what I am doing wrong.

Thank you,

some of this can be done via "disallowforcedlogin"
however this IS a security hole.
It lets hackers know what to modify and how in order to break in.
I strongly suggest throwing this idea out the window.

Hello,


Using WebAgent-onReject-Redirect to redirect to a any .fcc file will usually fail as the .fcc files require special parameters to work. Please see KB TEC488184
https://comm.support.ca.com/?legacyid=TEC488184

So to do what you are looking to do I would suggest that you use a custom JSP page and read in the Smauthreason and display the message you would like to.

That being said, I must reiterate, what you are trying to do is generally considered a very bad idea as it can allow for the harvesting of user names and other information about your processes.

Generally speaking it has become standard practice to do one of two things when a user fails authentication
1) send them back to a blank login screen to start over with no message as to why
2) Send them to a screen that tells them to contact support with no explanation as to why. ( This is usually done after X number of attempts and possibly an account lock out)

Any type of message that is returned could be seen as a vulnerability in today’s security environments’.

Hi,

When a failed attempt is made getting login page again. But the value 'smauthreason' is not coming. It is always 0. Could you tell me anything do I need to configure to get the value populated for it?

Here are the hidden parameters I have placed in login.fcc

<input type=hidden name=target value="$$target$$">
<input type=hidden name=smquerydata value="$$smquerydata$$">
<input type=hidden name=smauthreason value="$$smauthreason$$">
<input type=hidden name=smusrmsg value="$$smusrmsg$$">
<input type=hidden name=smretries value="0">

<input type=hidden name=smauthreason value="$$smauthreason$$">
<input type=hidden name=smagentname value="$$smagentname$$">
<input type=hidden name=postpreservationdata value="$$postpreservationdata$$">

Thank you very much in advance and I appreciate it.

Thanks,
Venkat

Hello Venkat,

Have you modified the login page? If you will use a basic login.fcc page you will find these parameters on the top:

<!-- SiteMinder Encoding=ISO-8859-1; -->
@username=%USER%
@smretries=0


Just you would have to modify @smretries=0 to @smretries=2 after that you will see SMTRYNO getting generated in httpd header after 2 wrong attempts.

Hope this helps.

Regards
Vikas

Hi Vikas,



Thanks for the quick response. How to retrieve the value of this header
name? Based on this header value I want to display custom message to
user.



If you know any example which reads the value using javascript will
helps me.



Thanks & Regards,

Venkat

(770) 237 7237



From: CA Security Global User Community (Distributed)
[mailto:CommunityAdmin@communities-mail.ca.com]
Sent: Friday, January 06, 2012 12:04 PM
To: mb.2253364.91794889@myca-email.ca.com
Subject: [CA SiteMinder General Discussion] RE: How to redirect
UnAuthorizied user



Hello Venkat,

Have you modified the login page? If you will use a basic login.fcc page
you will find these parameters on the top:

<!-- SiteMinder Encoding=ISO-8859-1; -->
@username=%USER%
@smretries=0


Just you would have to modify @smretries=0 to @smretries=2 after that
you will see SMTRYNO getting generated in httpd header after 2 wrong
attempts.

Hope this helps.

Regards
Vikas
Posted by:tiwvi01
--
CA Communities Message Boards
https://communities.ca.com/web/ca-identity-and-access-mgmt-distributed-g
lobal-user-community/message-board/-/message_boards/view_message/9179488
9
mb.2253364.91794889@myca-email.ca.com
http://communities.ca.com

Note: The default behavior for unauthenticated usersis to redirect to a file with the same name as the .fcc page, but with a .unath extension. The .unath file can be a copy of the .fcc file, with additional messages explaining what went wrong (smusrmsg).

http://www.ibm.com/developerworks/lotus/library/siteminder-authentication/]From: Netegrity SiteMinder authentication with Domino Document Manager 7:
The FCC can interpret a number of special name/value pairs:

smenc contains information that tells the browser what language encoding to use.
smlocale is the language used in the HTML forms that collect user information or display status messages.
username is the name to use as the login user name.
password is the password to use to perform the login.
target is the resource to access after login.
smauthreason is the reason code associated with a login failure.
smusrmsg contains the text that describes why the user was challenged or failed to login.
smagentname is the agent name used for logging the user in.
postpreservationdata is the data that a user submits through a post request.
smerrorpage is the page to which the user's browser will be redirected if there is an error on a post to the custom form.
smretries defines the maximum number of allowed failures when attempting to login.