Question:
We're running a Web Agent, and we'd like to know :
1 - Is there a way to mask the login page, as having
https://myserver.mydomain.com/myapp/login
instead of :
https://myserver.mydomain.com/myapp/login?TYPE=33554433&REALMOID=06-0001dc6e-bec9-1ae2-be6c-391c9970f051&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-uh4C3ALWNjC2oO6%2b15xYX4wgaVGuync6V%2bQw9kqx9qSJCqH9fIgjRmthAFFLXHi1&TARGET=-SM-https%3a%2f%2fmyserver%2emydomain%2ecom%2fmyapp%2faccess%2f
2 - For the same resource, is it possible to have an 2 authentication,
depending the origin of the caller, internal or external ?
3 - Can Web Agent provide redirect pages in case of idle timeout and
max timeout ?
Answer:
1 - You might customize a login page that will POST to the login.fcc :
Custom Login Page
https://communities.ca.com/docs/DOC-231150607-custom-login-page
but the login.fcc page should always be accessible to be
processed.
Tech Tip : CA Single Sign-On :: Web Agent::How to restrict user
from using login.fcc directly
https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2018/02/14/tech-tip-ca-single-sign-on-web-agenthow-to-restrict-user-from-using-loginfcc-directly
2 - You might check the Global Delivery Module :
Authentication Using Login Sequence for CA Single Sign-On
SiteMinder customers have expressed a desire to have the ability
to automatically apply different authentication schemes to
different groups of users; if the user fails to provide correct
credentials for one authentication mechanism, automatically fail
over to a different authentication mechanism; or combine multiple
authentication mechanisms into a sequence that the user must
successfully pass through to get authenticated. The Login
Sequence Authentication (SmLoginSequenceAuth) solution extends the
functionality of SiteMinder’s standard authentication schemes in
order to address the above requirements.
CA Global Delivery Packaged Work Product Download Index
https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-global-delivery-packaged-work-product-module-index.html?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D#SSO
3 - You might be able to handle idle timeout and max timeout
redirection with the ACO parameters :
IdleTimeoutURL
MaxTimeoutURL
Redirect a User after a Session Time-out
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/web-agent-configuration/session-protection/redirect-a-user-after-a-session-time-out
KB : KB000097563