Layer7 Access Management

Expand all | Collapse all

How to redirect UnAuthorizied user

Jump to Best Answer
  • 1.  How to redirect UnAuthorizied user

    Posted 08-31-2010 12:23 AM
    Hi,
    Currently we don't have any responses setup in our Siteminder environment. We want set responses back to the user telling what was wrong like User name Wrong, Password Wrong, Group membership missing ( Authorization ) instead of keep bringing a login page again and again.

    Here what I did so far :

    1) Created Test Relam > Created Test-Rule under Relam >
    2) Created Unauthorized-Ruleand selected Webagent actions Authorization and onAccessReject
    3) Created response “ WebAgent-onReject-Redirect” and selected Static Attribute Kind Variable Value “/siteminderagent/forms/loginunauthorized.fcc”
    4) Created Test Policy added Group, Added Test-Rule and Unauthorized-Rule
    5) Response “WebAgent-onReject-Redirect “ Added to Unauthorized-Rule.

    I am not a member of the group, when I try to login it should redirect me to the page loginunauthorized.fcc but it redirecting me, Please suggest me what I am doing wrong.

    Thank you,


  • 2.  RE: How to redirect UnAuthorizied user
    Best Answer

    Posted 11-16-2010 02:25 PM
    some of this can be done via "disallowforcedlogin"
    however this IS a security hole.
    It lets hackers know what to modify and how in order to break in.
    I strongly suggest throwing this idea out the window.


  • 3.  RE: How to redirect UnAuthorizied user

    Posted 11-11-2011 11:00 AM
    Hello,


    Using WebAgent-onReject-Redirect to redirect to a any .fcc file will usually fail as the .fcc files require special parameters to work. Please see KB TEC488184
    https://comm.support.ca.com/?legacyid=TEC488184

    So to do what you are looking to do I would suggest that you use a custom JSP page and read in the Smauthreason and display the message you would like to.

    That being said, I must reiterate, what you are trying to do is generally considered a very bad idea as it can allow for the harvesting of user names and other information about your processes.

    Generally speaking it has become standard practice to do one of two things when a user fails authentication
    1) send them back to a blank login screen to start over with no message as to why
    2) Send them to a screen that tells them to contact support with no explanation as to why. ( This is usually done after X number of attempts and possibly an account lock out)

    Any type of message that is returned could be seen as a vulnerability in today’s security environments’.


  • 4.  RE: How to redirect UnAuthorizied user

    Posted 01-06-2012 11:51 AM
    Hi,

    When a failed attempt is made getting login page again. But the value 'smauthreason' is not coming. It is always 0. Could you tell me anything do I need to configure to get the value populated for it?

    Here are the hidden parameters I have placed in login.fcc

    <input type=hidden name=target value="$$target$$">
    <input type=hidden name=smquerydata value="$$smquerydata$$">
    <input type=hidden name=smauthreason value="$$smauthreason$$">
    <input type=hidden name=smusrmsg value="$$smusrmsg$$">
    <input type=hidden name=smretries value="0">

    <input type=hidden name=smauthreason value="$$smauthreason$$">
    <input type=hidden name=smagentname value="$$smagentname$$">
    <input type=hidden name=postpreservationdata value="$$postpreservationdata$$">

    Thank you very much in advance and I appreciate it.

    Thanks,
    Venkat


  • 5.  RE: How to redirect UnAuthorizied user

    Posted 01-06-2012 12:04 PM
    Hello Venkat,

    Have you modified the login page? If you will use a basic login.fcc page you will find these parameters on the top:

    <!-- SiteMinder Encoding=ISO-8859-1; -->
    @username=%USER%
    @smretries=0


    Just you would have to modify @smretries=0 to @smretries=2 after that you will see SMTRYNO getting generated in httpd header after 2 wrong attempts.

    Hope this helps.

    Regards
    Vikas


  • 6.  RE: [CA SiteMinder General Discussion] RE: How to redirect UnAuthorizied us

    Posted 01-21-2012 10:04 PM
    Hi Vikas,



    Thanks for the quick response. How to retrieve the value of this header
    name? Based on this header value I want to display custom message to
    user.



    If you know any example which reads the value using javascript will
    helps me.



    Thanks & Regards,

    Venkat

    (770) 237 7237



    From: CA Security Global User Community (Distributed)
    [mailto:CommunityAdmin@communities-mail.ca.com]
    Sent: Friday, January 06, 2012 12:04 PM
    To: mb.2253364.91794889@myca-email.ca.com
    Subject: [CA SiteMinder General Discussion] RE: How to redirect
    UnAuthorizied user



    Hello Venkat,

    Have you modified the login page? If you will use a basic login.fcc page
    you will find these parameters on the top:

    <!-- SiteMinder Encoding=ISO-8859-1; -->
    @username=%USER%
    @smretries=0


    Just you would have to modify @smretries=0 to @smretries=2 after that
    you will see SMTRYNO getting generated in httpd header after 2 wrong
    attempts.

    Hope this helps.

    Regards
    Vikas
    Posted by:tiwvi01
    --
    CA Communities Message Boards
    https://communities.ca.com/web/ca-identity-and-access-mgmt-distributed-g
    lobal-user-community/message-board/-/message_boards/view_message/9179488
    9
    mb.2253364.91794889@myca-email.ca.com
    http://communities.ca.com


  • 7.  RE: How to redirect UnAuthorizied user

    Posted 08-19-2013 03:27 PM
    Note: The default behavior for unauthenticated usersis to redirect to a file with the same name as the .fcc page, but with a .unath extension. The .unath file can be a copy of the .fcc file, with additional messages explaining what went wrong (smusrmsg).

    http://www.ibm.com/developerworks/lotus/library/siteminder-authentication/]From: Netegrity SiteMinder authentication with Domino Document Manager 7:
    The FCC can interpret a number of special name/value pairs:

    smenc contains information that tells the browser what language encoding to use.
    smlocale is the language used in the HTML forms that collect user information or display status messages.
    username is the name to use as the login user name.
    password is the password to use to perform the login.
    target is the resource to access after login.
    smauthreason is the reason code associated with a login failure.
    smusrmsg contains the text that describes why the user was challenged or failed to login.
    smagentname is the agent name used for logging the user in.
    postpreservationdata is the data that a user submits through a post request.
    smerrorpage is the page to which the user's browser will be redirected if there is an error on a post to the custom form.
    smretries defines the maximum number of allowed failures when attempting to login.


  • 8.  Re: How to redirect UnAuthorizied user

    Posted 08-20-2015 02:28 AM

    Hello,

     

        The requirement I have is to redirect the user to an error page when the user is unauthorized. Here the case is like.., the userX is authorized to access application1 but not application2. So when the userX is already logged into application1 and is trying to access application2...instead of the login.fcc page being displayed.. I want to redirect the userX to an error page..saying.., YOU are not AUTHORIZED to Access this application.

     

    So what I did is : created a rule on Authorization Events    : Action [OnAccessReject]    ; Deny Access[Enabled].

     

    And in the response part what I did is : selected the WebAgent-OnReject-Redirect    ;    Attribute Kind : Static    ;    Variable Value : AuthFailure/AuthFailure.htm

     

    But, it is still not happening. Could you please tell me the steps in should follow?

     

    P.S. : I am not using SPS|Federation.



  • 9.  Re: How to redirect UnAuthorizied user

    Posted 08-20-2015 02:32 AM

    If something is incorrect in the steps which I have mentioned..then please mention it. As I am new to siteminder and I am not completely aware of it's configuration.