Symantec Access Management

Hi,

I am having below requirement that I am trying to work out using Siteminder variable response.

1. After user authenticates, Siteminder shows an intermediate page (I am using jsp) to user with a drop-down of all the role names he has access to from user directory. I am sending it as a response (multi valued attribute) to this intermediate page.

2. User chooses the role name that he want to login against and submit.

3. The intermediate jsp page send the corresponding role id (which application will do validation against) as form variable POST to application URL.

4. I have protected the application URL in siteminder and have created a authorization rule which triggers a dynamic response (using form post variable) that will create a new header (with role id that it should get from form POST variable ).

Now when I execute the above flow, step 1-3 is happening as expected. However in step 4, Siteminder is not able to get the form variable from POST and in smps log I am getting active expression error.

Can anyone suggest is there any specific notations that I need to include in my intermediate jsp to allow Siteminder get the form post variable?

Any help would be highly appreciated in this regard.

Regards,

Sanjay

Hi Sanjay,

I am not sure about the coding part. But as far as agent config is concerned, you can try to disable below parameters and see if it helps :--

1) UseHTTPOnlyCookies : no

2) CssChecking : no

3) fcchtmlencoding : no

Restart webagent after the changes.

Do let us know if it helps.

Thanks,

Ankush

Thanks for your response Ankush., Will try that for sure. However if I have to simplify my query:

Just wanted to know how do we use Siteminder Form Post Variable?

From Siteminder manual I can find below:

"HTML forms are often used to collect information that back-end applications require. Form Post variables can be used to capture any information that is entered in an HTML form and POSTed. For example, if the business logic associated with an application requires a purchase order amount that is specified on an HTML login form, create a Form Post variable object to collect the value of the purchase order that the user supplies. The variable can then be used in policies."

Just wondering, in order to pass values from a form (not used for login in my case, just its a role selection page after user authentication)  to a Siteminder variable:

1. Does it need to be a static HTML form or can it be a JSP?

2. Does the page requires any special Siteminder notations to allow Siteminder pick up form variable being passed (as we do in login pages)?

Thanks,

Sanjay

Hi Sanjay,

It's best to utilize Web Debugging tool like Fiddler (Fiddler free web debugging proxy) to check if the variable is POST-ed accordingly in step 4 then move on to check on the error from the active expression.

Best regards,

Kelly

Hi Kelly,

I am using chrome debugging extension and can actually see (storeid=4) in the request body (as POST). I am using same storeid as "Form Variable Name" in the variable that I've created in Siteminder.

Not sure why siteminder is not able to resolve the variable

Thanks,

Sanjay

Hi Sanjay,

The active expression is set to pick up 'storeid' but instead getting null value?

Best regards,

Kelly

Hi Kelly,

That's correct, while I could see in http trace (storied=4) is being posted in request body, Siteminder policy server is not able to resolve the variable.

That's making me think, since we are already through authentication phase, can we actually pass form variables to policy server through JSP which is not a login form. As we know that during authentication phase, we can use a custom application page (jsp,asp etc.) to collect user credentials and then pass the values to policy server (for authentication) by posting to a webagent login.fcc form. With that too, we use special notations in login form to let policy server know which variable to expect username/password in.

Just wondering if that's the only way we can send the variable to Siteminder policy server, then it left us with a theory that Siteminder "variable" object we could only use in login page to pass dynamic information (other than username and password) to policy server based on user inputs?

Please correct me if I am wrong!!

Thanks,

Sanjay

Hi Sanjay,

You are right. SiteMinder does NOT intercept any POST data in the application except the one directly posted to .fcc files (login.fcc/smpwservices.fcc etc).

So, unfortunately what you are trying to do in step (4) in your first post is not feasible with SiteMinder.

Cheers,

Ujwol

Thanks Ujwol.

Yup eventually we had to accept it and come up with a workaround.

Thanks,

Sanjay