Symantec Access Management

 View Only
  • 1.  How to use custom fcc page and post details to login.fcc

    Posted Aug 19, 2015 06:58 AM

    Hi All,


    I am using a custom login.aspx in my environment and using it to post the credentials to the SiteMinder login.fcc page. The flow is working fine but the URL contains the password,target and user id in clear text. I need to fix this ASAP as it is highly unsecure. Here is my custom page:-


    <form action="/siteminderagent/forms/login.fcc" method="post">

    ....

    <td><P><span>Username :</span></P></td>

    <td><P><input name="USER" type="text" value="" style="width:150px" /></P></td>

    ....

    <td><P><span>Password :</span></P></td>

    <td><P><input name="PASSWORD" type="password" value="" style="width:150px" /></P></td>

    ....

    <INPUT TYPE=HIDDEN NAME="SMENC" VALUE="ISO-8859-1">

    <INPUT type=HIDDEN name="SMLOCALE" value="US-EN">

    <input type=hidden name=target value="http://HOSTNAME/test">

    <input type=hidden name=smquerydata value="$$smquerydata$$">

    <input type=hidden name=smauthreason value="$$smauthreason$$">

    <input type=hidden name=smagentname value="$$smagentname$$">

    <input type=hidden name=postpreservationdata value="$$postpreservationdata$$">

     

                                           <div class="formRow">

                                           <P><input name="submit" type="submit" value="Login" />

                                           <input name="Reset" type="reset" /></P>

     

    Iam also using the secureURL ACO parameter and its not working for me. If I am removing all directives other then the target above its working with clear text passwords and other things in URL but as soon as I am putting smquery directive( to encrypt) its giving internal server error.

     

    ANy help would be appreciated.

     

     

    Thanks,

    Ashish Vashistha

    +91-8130233066



  • 2.  Re: How to use custom fcc page and post details to login.fcc

    Posted Aug 19, 2015 03:41 PM

    Rajesh RajeshKA

     

    Are you not using SSL Connection on your custom login page? If the WebServer is SSL enabled then the credentials would be send via a Secure Channel; thus avoiding anyone trying a Man-in-Middle attacks.

     

    Regarding using SecureURLs, please refer to the below two wiki link. Ensure the ACO Configurations, all participating WA's plus FCC Directives have been set / configured as mentioned in below two WiKi.

     

    Note, the SecureURL only deals with query parameters. Target is the only parameter that is exchanged in a URL query. Username and Password are never sent as query parameters.

     

    _SecureURLs not Supported when FCCCompatMode and LegacyEncoding Enabled_419838 - CA SiteMinder® - 12.52 SP1 - CA Wiki

     

    Encrypt Query String Parameters in Redirection URLs - CA SiteMinder® - 12.52 SP1 - CA Wiki

     

     

     

     

    Regards

     

    Hubert



  • 3.  Re: How to use custom fcc page and post details to login.fcc

    Posted Aug 19, 2015 08:30 PM

    Hi RajeshKA,

     

    Please have a look at Custom Login Page

    I have also attached a sample login page (ASP) in the post.

     

    Please note the name of the ACO parameter is SecureURLs NOT secureURL

     

    Cheers,

    Ujwol Shrestha



  • 4.  Re: How to use custom fcc page and post details to login.fcc
    Best Answer