Symantec SiteMinder

 View Only

Tech Tip : CA Single Sign-On : Web Agent : Pre-fill username during step up authentication

By Ujwol posted Nov 16, 2016 07:26 PM



In this guide we will see how to pre-fill the username field during second challenge in step up authentication.



  • Both low level and high level authentication scheme is using HTML Form Authentication scheme.
  • UseHTTPOnlyCookies ACO parameter is set to YES
  • Can not use server side technology like  ASP/JSP/ASPX etc. Can only use login.fcc for login form.



  • Web Agent : 12.0 and above
  • OS : ANY



1. Let's create two copies of the OOTB login.fcc and rename them as login5.fcc & login10.fcc.


2. Create two HTML FORM authentication scheme one using login5.fcc with Protection Level 5 and other using login10.fcc with Protection Level 10.


3. Protect two resource say /html/ with login5.fcc auth scheme and /html10/ with login10.fcc to simulate step up authentication scenario.


5. Now , the trick is to add following line in the login5.fcc to instruct Web Agent to save the value in the "USER" form field as cookie 



(Note : If you need to save multiple form fields, you can specify name of the form field as colon separated list like @save=USER:TARGET )


So, after adding this line the login5.fcc looks like this at top 

<!-- SiteMinder Encoding=UTF-8; -->



6. Next, modify the login10.fcc to pre-fill the USER form field by reading the cookie set earlier like this :


<td ALIGN="LEFT" >
<b><font size=-1 face="arial,helvetica" > Username: </font></b>
<td ALIGN="LEFT" >
  <input type="text" name="USER" size="30" style="margin-left: 1px" value="$$USER$$">
<td WIDTH=20 > </td>


Now, the most important thing to note here is , this works even when using HTTPOnly cookies as the FCC processing happens on both the server side as well client side. All the variable with the format $$VariableName$$ are replaced on the server side by reading the value from various sources like :

  • The headers named in the SMHEADERS variable.
  • The directives.
  • The cookies.
  • The posted form data.


As you can see above the variable replacement happens on the server side,so it doesn't matter even if the HTTPOnly flag is set on cookies.



  • Sample login fcc
  • Sample fiddler