Tech Tip : CA Single Sign-On :Policy Server:How to authenticate user using multiple attribute beside password using HTML Form Auth Scheme

View Only

Tech Tip : CA Single Sign-On :Policy Server:How to authenticate user using multiple attribute beside password using HTML Form Auth Scheme

By Ujwol posted Feb 06, 2017 01:12 AM

Recommend

Introduction

In this guide we will see how we can customize the OOTB login form to be able to accept more than the usual username and password attributes and be able to authenticate user using additional attributes.

Password however is mandatory attribute for authentication and can't be skipped.

This will be illustrated using HTML FORM authentication scheme and will not involve any custom authentication scheme

Environment

Policy Server : ANY Web Agent : ANY User Directory : ANY

Instructions

For illustration, let us assume that we need to be able to request user email address in the login FORM able to validate it during the authentication beside username and password.

Step 1. Modify the .fcc template file (login.fcc) to collect additional attribute

Add the following line at the beginning of the file:

@password=PASSWORD=%PASSWORD%&mail=%mail%

If the additional attributes have special characters, the line looks like the following sample:

@password=PASSWORD=%PASSWORD%&mail=%urlencode(mail)%

Where, 'mail' is the new attribute that you are configuring to collect from the user during login.

Also, create a new input text field for Email address as below:

<tr>

<b><font size=-1 face="arial,helvetica" > Email: </font></b>

</td>

</td>

</tr>

Let's save this as a new customlogin.fcc file.

Step 2. Create a new authentication scheme of type HTLM FORM Template in the Administrative UI as below.

The name of the attribute in the HTML forms authentication scheme must match the name of the additional attribute in the .fcc file. For example, to add the attribute mail (as shown in step 1 ) to the authentication scheme, enter the string AL=PASSWORD,mail in the Additional Attributes List field.
The name of the additional attribute must match the name of the attribute in the user directory. This is VERY important because, here we are not just collecting the additional attribute from the user, but also validating if it matches with the user record in the user directory. So in this case, Policy server will actually validate if the email address provided matches the user record, if it doesn't match, the user will NOT be authenticated.