Symantec Access Management

 View Only
  • 1.  Pass custom data to fcc

    Posted Aug 19, 2015 04:29 AM

    We are trying to implement a solution where the idea is to have a token / string data passed to the custom Authentication scheme after being POSTed on the login.fcc page.

    The question here is whether or not we can use a custom FCC directive to hold the token / string data. We are not looking to get it appended on the @password directive.



  • 2.  Re: Pass custom data to fcc

    Posted Aug 19, 2015 04:20 PM

    Joydeep joydeepdasgupta

     

    Why would a custom authentication scheme be invoked "AFTER" posting to login.fcc? Could we have this flow explained better. After posting to login.fcc only 2 things could happen i.e. either a successful login OR a failed login. On Successful login user is redirected to Target. On failed login user is taken back to login page.

     

    Directives in login.fcc are specific to hold SiteMinder specific information.

     

    However there is a Technote About Login in with Additional Attributes, let know if this helps your cause.

     

     

    Login Authentication With Additional Attributes

    Let's Assume that you want to authenticate with a login form and in addition to the username and password you want to specify the LDAP attribute 'telephonenumber'.

    Step 1 - Create Customer FCC form

    • Generally you can use the login.fcc file from the samples/form directory as a start
    • Add the following line to the beginning of the file:
    • @password=PASSWORD=%PASSWORD%&telephonenumber=%NUMBER%
    • The '@password=' portion tells siteminder to store the following parameters in the password portion of the response.
    • The 'PASSWORD=%PASSWORD%' stores the value of the PASSWORD html form field in the password response, THIS IS REQUIRED for forms authentication to work when you add new attributes.
    • After the password you specify the additional attributes you want to pass with the syntax 'attribute name=HTML form element name'. Note that the list of attribute is seperated by the ampersand (&).

    Step 2 - Create the Authentication Scheme

    • Create the authetication sheme like you would create an authentication scheme for forms authentication.
    • Under target enter the location of the new FCC form you created
    • Under Additional attributes enter the attribute list starting with 'AL='. For our example you would enter: AL=PASSWORD,telephonenumber
    • The PASSWORD attribute ALWAYS needs to be specified for this authentication method to work correctly

    Step 3 - Create Realm / Rules / Responses and Policies

    • Now all you need to do is create your realms, rules, responses and policies the same way you would using the normal forms login authentication scheme

     

    Capture.JPG

     

     

    Regards

     

    Hubert



  • 3.  Re: Pass custom data to fcc

    Posted Sep 02, 2015 08:32 AM

    HubertDennis,

     

    Yes, my bad its not "AFTER" in the actual configurational sense however, the fact what I was trying to mention (and get an understanding around the fact) that whatever gets POSTed on the FCC page is actually read on the Authentication API with the help of UserContext methods.

     

    May i ask if we can only pass "Additional Attributes" & not anything else say a string / token / variable maybe which can further be read & worked upon within the Authentication API.

     

    Joydeep



  • 4.  Re: Pass custom data to fcc

    Posted Aug 19, 2015 04:47 PM

    OR

     

    http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec458943.aspx

     

    This is something that I've never tried before, nor do I know if this is supported OR would cause any repercussion. So you may try it and see if it works / fits your purpose.

     

    <SNIPPET START>

     

    "The first part of the FCC contains directives that are used when executing a POST operation on the FCC file. The directives are never passed to the client. They must be at the beginning of the file and are of the form: @SOMETHING=value

    The name is the name of a variable. The value is the variable's value. The value may contain strings of the form: %name1%. This will be replaced by the value of the variable associated with name1."

     

    The second part of the FCC file contains HTML code that is returned when a GET operation is performed on the FCC file. This part may include text in the form "$$name$$", including the quotation marks (") that will be replaced by the value associated with name. The name is not case sensitive.

     

    <input type=hidden name=SOMETHING value=$$SOMETHING$$">

     

    <SNIPPET END>

     

    Regards

     

    Hubert



  • 5.  Re: Pass custom data to fcc

    Posted Aug 19, 2015 08:19 PM

    This can be achieved using FORM POST VARIABLES

     

    Form Post Variables

    HTML forms are often used to collect information that back-end applications require. Form Post variables can be used to capture any information that is entered in an HTML form and POSTed. For example, if the business logic associated with an application requires a purchase order amount that is specified on an HTML login form, create a Form Post variable object to collect the value of the purchase order that the user supplies. The variable can then be used in policies.

    Important: EJB and Servlet Agents do not support Form Post variables. Do not use Form Post variables in policies that are enforced by EJB or Servlet Agents.

    The key benefit of this type of variable is that it allows the Policy Server to use POST data as a part of a policy expression rather than forcing enterprises to build security logic into HTML forms are often used to collect information that back-end applications require. Form Post variables can be used to capture any information that is entered in an HTML form and POSTed. For example, if the business logic associated with an application requires a purchase order amount that is specified on an HTML login form, create a Form Post variable object to collect the value of the purchase order that the user supplies. The variable can then be used in policies. server applications. Using HTTP POST variables results in efficient network usage between Agents and Policy Servers. The Agent extracts the HTTP variable information from the HTTP stream so that the information can be used during authorization processing by the Policy Server.

     

    https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/346898.html#o345994