Symantec Access Management

Hi everyone. My team developed a CAS for a large enterprise customer that needed a custom flow for authenticating their user. The full access management architecture is composed by Policy Server 12.8 and and amount of webagents. One of this webagent is a kind of centralized login portal for all applications. We have done the CAS for this webagent, replacing the standard HTML form base auth scheme, that has an application server as his own interface, presenting different jsp pages that are able to post what needed to the webagent fcc. The fcc itself will invokes the CAS and everything is working as expected.
Our problem is that the standard CAS interface is now the fcc page and not the customized jsp that the customer uses as their presentation for authentication. 
For example, if I protect now an url directly with the CAS, the webagent redirects me to the standard fcc but I want to redirect the browser to another page (that ofc will post to the fcc)

As per your experience, do you know if there is the way, both from webagent configuration or from java coding into the cas, for telling the policy server (or the agent) that the presentation of the CAS must be the jsp and not the fcc ?  Maybe some parameter of the CAS to be set in the parameter field from the adminui ?

thanks!

Hi Alessandro,

The CAS you have described is very common where the target of the authentication scheme is a jsp (or asp) page that collects the credentials and posts to the .fcc.

It sounds like the URL you are requesting is not protected by a realm that points to the CAS.  When a Web Agent receives a request, it will determine the associated AgentName and URI.  The Web Agent uses these two pieces of data to make an IsProtected call to the Policy Server.  The Policy Server uses the combination of AgentName and URI to attempt to map the call to a realm.  Based on the results you're seeing, the request you are making is mapping to a realm that has the .fcc as a Target of the authentication scheme assigned to the realm.  

There are a few ways you can resolve this.  If all resources under the realm that is currently protecting the test resource should be protected with the CAS, you can simply assign the CAS to this realm.  If this realm contains resources that should use the current .fcc auth scheme that is assigned to the realm, you can either create a new realm for the resources that should be protected with the CAS, or if that's not possible, if you have control over how the resource is requested you may be able to separate the resources that require different auth schemes by making changes that will result in the two resources resolving to different AgentNames (such as if users can be forced to use a separate hostname for the resources protected by the CAS).

I hope this helps.

-Pete

Original Message:
Sent: 01-21-2020 12:54 PM
From: Alessandro SESSA
Subject: SiteMinder default Custom Authentication Scheme presentation

Hi everyone. My team developed a CAS for a large enterprise customer that needed a custom flow for authenticating their user. The full access management architecture is composed by Policy Server 12.8 and and amount of webagents. One of this webagent is a kind of centralized login portal for all applications. We have done the CAS for this webagent, replacing the standard HTML form base auth scheme, that has an application server as his own interface, presenting different jsp pages that are able to post what needed to the webagent fcc. The fcc itself will invokes the CAS and everything is working as expected.
Our problem is that the standard CAS interface is now the fcc page and not the customized jsp that the customer uses as their presentation for authentication.
For example, if I protect now an url directly with the CAS, the webagent redirects me to the standard fcc but I want to redirect the browser to another page (that ofc will post to the fcc)

As per your experience, do you know if there is the way, both from webagent configuration or from java coding into the cas, for telling the policy server (or the agent) that the presentation of the CAS must be the jsp and not the fcc ?  Maybe some parameter of the CAS to be set in the parameter field from the adminui ?

thanks!

Hi Peter, thanks for the quick reply.

Partially what you are suggesting is already happening.
The problem is just on the agent that uses directly that CAS, because all the other web application protected by SiteMinder are ok, since they use their own auth schema that, in fact, calls directly the jsp on the login portal that, on his own, invokes the FCC of the CAS.

I summarize better the question: do we have the chance to change the "target" parameter of the CAS like a normal html form to instruct the schema that the target is not the fcc bu a custom jsp ?

thanks again
Alessandro
Original Message:
Sent: 01-21-2020 01:23 PM
From: Peter Burant
Subject: SiteMinder default Custom Authentication Scheme presentation

Hi Alessandro,

The CAS you have described is very common where the target of the authentication scheme is a jsp (or asp) page that collects the credentials and posts to the .fcc.

It sounds like the URL you are requesting is not protected by a realm that points to the CAS.  When a Web Agent receives a request, it will determine the associated AgentName and URI.  The Web Agent uses these two pieces of data to make an IsProtected call to the Policy Server.  The Policy Server uses the combination of AgentName and URI to attempt to map the call to a realm.  Based on the results you're seeing, the request you are making is mapping to a realm that has the .fcc as a Target of the authentication scheme assigned to the realm.  

There are a few ways you can resolve this.  If all resources under the realm that is currently protecting the test resource should be protected with the CAS, you can simply assign the CAS to this realm.  If this realm contains resources that should use the current .fcc auth scheme that is assigned to the realm, you can either create a new realm for the resources that should be protected with the CAS, or if that's not possible, if you have control over how the resource is requested you may be able to separate the resources that require different auth schemes by making changes that will result in the two resources resolving to different AgentNames (such as if users can be forced to use a separate hostname for the resources protected by the CAS).

I hope this helps.

-Pete

Original Message:
Sent: 01-21-2020 12:54 PM
From: Alessandro SESSA
Subject: SiteMinder default Custom Authentication Scheme presentation

Hi everyone. My team developed a CAS for a large enterprise customer that needed a custom flow for authenticating their user. The full access management architecture is composed by Policy Server 12.8 and and amount of webagents. One of this webagent is a kind of centralized login portal for all applications. We have done the CAS for this webagent, replacing the standard HTML form base auth scheme, that has an application server as his own interface, presenting different jsp pages that are able to post what needed to the webagent fcc. The fcc itself will invokes the CAS and everything is working as expected.
Our problem is that the standard CAS interface is now the fcc page and not the customized jsp that the customer uses as their presentation for authentication.
For example, if I protect now an url directly with the CAS, the webagent redirects me to the standard fcc but I want to redirect the browser to another page (that ofc will post to the fcc)

As per your experience, do you know if there is the way, both from webagent configuration or from java coding into the cas, for telling the policy server (or the agent) that the presentation of the CAS must be the jsp and not the fcc ?  Maybe some parameter of the CAS to be set in the parameter field from the adminui ?

thanks!