Symantec Access Management

  • Private Community
 View Only

  • 1.  & character in username cannot login

    Posted Jun 05, 2018 08:03 PM

    Hi,

     

    Username contains & character and logic.fcc is not allowing to login with vaild credentials. I have checked the logs but couldnt find why this is happening. Could someone help me out?

     

    Regards-

    Yashpal

    #ssositeminder #ssosecurity



  • 2.  Re: & character in username cannot login

    Broadcom Employee
    Posted Jun 05, 2018 08:56 PM

    This one is personal bug bear of mine.   

     

    There is approach of forbidding "special" html characters, (ie use of BADXXXChars settings) whereas often they should often be allowed, but made sure they are encoded correctly.   This come up with passwords and not too infrequently with user names (for example : mark.o'donohue ).  The "&" is one such special character.

     

    To make the agent encode them correctly you need the setting :   FCCHtmlEncoding = yes 

    In my opinion it should default to = "yes" but broke a number of regression test cases so it was left with default of "no" some years ago. 

     

    The login.fcc page will then correctly encode special html characters :   & < > " '  rather than leave them as raw values (the other option is to forbid them via badxxxchars setting).  and then you can use them in passwords and usernames.  

     

    FcchtmlencodingNo

    Specifies whether the HTML encoding is enabled to prevent Cross-Site Scripting attacks against web agent FCC pages. This parameter does not block any characters. See Prevent Cross-Site Scripting Attacks in Web Agent FCC Pages.

     

    List of Agent Configuration Parameters - CA Single Sign-On - 12.52 SP2 - CA Technologies Documentation 

     

     

    Cheers - Mark



  • 3.  Re: & character in username cannot login

    Posted Jun 05, 2018 09:35 PM

    Thanks Mark for the suggestion. I couldn't find  FCCHtmlEncoding in the ACO, should I add this parameter in ACO and try? Or is there any other way?

     

    Regards-

    Yashpal



  • 4.  Re: & character in username cannot login
    Best Answer

    Posted Jun 05, 2018 09:09 PM

    Hi Yashpal,

     

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/new-features/policy-server-new-features#PolicyServerNewFeatures-SupportforAmpersand(&)inUsername

     

    Support for Ampersand (&) in Username

    The user names in the LDAP user stores can contain & from 12.52 SP1 CR05.

     

    Regards,

    Leo Joseph.



  • 5.  Re: & character in username cannot login

    Posted Jun 05, 2018 09:36 PM

    Thanks Leo for the information. Is there any way I can make it work in the 12.51 version?

     

    Regards-

    Yashpal



  • 6.  Re: & character in username cannot login

    Posted Jun 06, 2018 01:29 AM

    Hi Yashpal,

     

    This cannot be done in 12.51 Version as this is released in 12.52 SP1, 

     

    Regards,

    Ram,



  • 7.  Re: & character in username cannot login

    Posted Jun 06, 2018 01:35 AM

    In case, if you if you want to use this feature, you have to upgrade to 12.52 SP1 as per the link shared by my collegue Leo, 

     

    Regards,

    Ram,