I am using a custom login.aspx in my environment and using it to post the credentials to the SiteMinder login.fcc page. The flow is working fine but the URL contains the password,target and user id in clear text. I need to fix this ASAP as it is highly unsecure. Here is my custom page:-
<form action="/siteminderagent/forms/login.fcc" method="post">
<td><P><input name="USER" type="text" value="" style="width:150px" /></P></td>
<td><P><input name="PASSWORD" type="password" value="" style="width:150px" /></P></td>
<INPUT TYPE=HIDDEN NAME="SMENC" VALUE="ISO-8859-1">
<INPUT type=HIDDEN name="SMLOCALE" value="US-EN">
<input type=hidden name=target value="http://HOSTNAME/test">
<input type=hidden name=smquerydata value="$$smquerydata$$">
<input type=hidden name=smauthreason value="$$smauthreason$$">
<input type=hidden name=smagentname value="$$smagentname$$">
<input type=hidden name=postpreservationdata value="$$postpreservationdata$$">
<P><input name="submit" type="submit" value="Login" />
<input name="Reset" type="reset" /></P>
Iam also using the secureURL ACO parameter and its not working for me. If I am removing all directives other then the target above its working with clear text passwords and other things in URL but as soon as I am putting smquery directive( to encrypt) its giving internal server error.
ANy help would be appreciated.
Are you not using SSL Connection on your custom login page? If the WebServer is SSL enabled then the credentials would be send via a Secure Channel; thus avoiding anyone trying a Man-in-Middle attacks.
Regarding using SecureURLs, please refer to the below two wiki link. Ensure the ACO Configurations, all participating WA's plus FCC Directives have been set / configured as mentioned in below two WiKi.
Note, the SecureURL only deals with query parameters. Target is the only parameter that is exchanged in a URL query. Username and Password are never sent as query parameters.
_SecureURLs not Supported when FCCCompatMode and LegacyEncoding Enabled_419838 - CA SiteMinder® - 12.52 SP1 - CA Wiki
Encrypt Query String Parameters in Redirection URLs - CA SiteMinder® - 12.52 SP1 - CA Wiki
Please have a look at Custom Login Page
I have also attached a sample login page (ASP) in the post.
Please note the name of the ACO parameter is SecureURLs NOT secureURL
Check this out too:
Tech Tip - CA Single Sign-On: Custom login page to POST to login.fcc with SecureURLs enabled