Previous Topic: How to Configure a CA SiteMinder® Agent to Support HTML Forms AuthenticationNext Topic: Map URLs for FCC Redirects with a Domino Web Agent

Web Agent GuidesWeb Agent Configuration GuideForms AuthenticationHow to Configure a CA SiteMinder® Agent to Support HTML Forms AuthenticationConfigure Basic FCC Operation

Configure Basic FCC Operation

Perform some basic configuration procedures to configure the Forms Credential Collector (FCC) component of any agent that secures resources that are protected by an HTML Forms authentication scheme.

  1. Configure a MIME type mapping for the FCC if you are using an IIS web server or a Domino web server.

    Note: The agent configuration wizard automatically sets up the proper MIME types that CA SiteMinder® credential collectors use for the following types of web servers:

  2. Map your agent identities and web servers for use by FCCs.
  3. Configure the following additional settings, as required:
Configure a MIME Type Mapping for the FCC on IIS and Domino Web Servers

On IIS and Domino web servers, specify the FCCExt agent configuration parameter to configure a MIME type mapping for the FCC in your Web Agent configuration. The MIME type mapping is represented as a file extension. We recommend using the default value.

FCCExt

Specifies a MIME type mapping for the FCC.

Default: .fcc

Limits: A valid file extension.

Example: .myfcc

Note: If you do not want to use the default extension or the default is already in use, enter the extensions that you want instead. For example, if you set FCCExt to .myfcc for the FCC, and rename the FCC template to use this extension (such as login.myfcc), the agent recognizes URLs ending in .myfcc as HTML Forms authentication requests.

Enable FCCs and SCCs to Use Agent Names as Fully Qualified Host Names

To enable the forms and SSL credential collectors to use the fully qualified host name of the target URL as an Agent name, define the AgentNamesAreFQHostNames configuration parameter.

For example, if the AgentNamesAreFQHostNames parameter is set to Yes, the www.nete.com portion of the following URL string serves as the Web Agent name:

url?A=1&Target=http://www.nete.com/index.html

The credential collector uses this parameter in the following situations:

If the AgentNamesAreFQHostNames parameter is set to No, the credential collector uses the value of the DefaultAgentName parameter as the name of the target Web Agent.

Configure the FCC to Use a Single Resource Target

To configure the FCC to direct users to a single resource, hard-code the target in the login.fcc template file.

Follow these steps:

  1. Open the login.fcc file, which is located in agent_home/Samples.
  2. Add @target=target_resource to the FCC.
  3. Add the following entry:

    @smagentname=agent_name_protecting_resource

    For example: @smagentname=mywebagent

  4. Set the EncryptAgentName parameter to no. This parameter is required because no method exists to encrypt the agent name after you hard code it in the file.
  5. Set the EncryptAgentName to no for any other agent using this FCC.

Note: For more information, see the Policy Server documentation.

Use a Relative Target for Credential Collector Redirects

Optionally, instruct an agent to use a relative URI instead of a fully qualified URL when directing requests to a credential collector and target resource. Using a relative URI prevents credential collectors on other systems with Web Agents from processing requests.

Note: This setting applies to all credential collectors except the cookie credential collector (CCC). The CCC must use a fully-qualified domain name for this parameter. OnAuthAccept responses will not work properly with a CCC if a relative URI is used.

Typically, a fully qualified URL is appended to the credential collector URL. For example:

url?A=1&Target=http://www.nete.com/index.html.

To use only a relative URI, set the TargetAsRelativeURI parameter to yes. If set to yes, the target parameter that is appended to the credential collector URL is a relative target, such as url?A=1&Target=/index.html. In turn, when the credential collector redirects back to the Web Agent protecting the target resource, it is a relative redirect. Also, the Web Agent rejects any target that does not begin with a forward slash (/).

The default value for this parameter is no, so a fully qualified URL is always used.

Define Valid Target Domains

To configure CA SiteMinder® Agents to help protect your resources from phishing attempts that could redirect users to a hostile website, set the following configuration parameter:

ValidTargetDomain

Specifies the domains to which a credential collector is allowed to redirect users. If the domain in the URL does not match the domains set in this parameter, the redirect is denied.

Default: No.

All advanced authentication schemes, including forms credential collectors (FCCs) support this parameter.

The ValidTargetDomain parameter identifies the valid domains for the target during processing. Before the user is redirected, the agent compares the values in the redirect URL against the domains in this parameter. Without this parameter, the agent redirects the user to targets in any domain.

The ValidTargetDomain parameter can include multiple values, one for each valid domain.

For local Web Agent configurations, specify an entry, one entry per line, for each domain, for example:

validtargetdomain=".xyzcompany.com"

validtargetdomain=".abccompany.com"
Define Valid Federation Target Domains

If CA SiteMinder® is acting as a legacy federation SP, you can configure the Identity Provider Discovery (IPD) profile for SAML 2.0 transactions. IPD lets a user select which IdP generates an assertion for an authentication request.

During the discovery process, you can prevent a user from being redirected to a malicious website. Configure the Web Agent to validate the domain of the IdP that satisfies the authentication request.

To enable the validation process, set the value of the following parameter:

ValidFedTargetDomain

(Federation only–SAML 2.0). Lists all valid domains for your federated environment when implementing Identity Provider Discovery.

When the CA SiteMinder® Identity Provider Discovery (IPD) Service receives a request, it examines the IPDTarget query parameter in the request. This query parameter lists a URL where the Discovery Service must redirect to after it processes the request. For an IdP, the IPDTarget is the SAML 2.0 Single Sign-on service. For an SP, the target is the requesting application that wants to use the common domain cookie.

Federation Web Services compares the domain of the IPDTarget URL to the list of domains specified for the ValidFedTargetDomain parameter. If the URL domain matches one of the configured domains in the ValidFedTargetDomain, the IPD Service redirects the user to the designated URL in the IPDTarget parameter. This redirect is to a URL at the SP.

If there is no domain match, the IPD Service denies the user request and they receive a 403 Forbidden in the browser. Additionally, errors are reported in the FWS trace log and the affwebservices log. These messages indicate that the domain of the IPDTarget is not defined as a valid federation target domain.

If you do not configure the ValidFedTargetDomain setting, no validation is done and the user is redirected to the target URL.

Limits: Valid domains within the federated network

Default: No default

Specify a valid domain in the ValidFedTargetDomain parameter. This setting is a multivalue parameter, so you can enter multiple domains.

If you are modifying a local configuration file, list the domains separately, for example:

validfedtargetdomain=".examplesite.com"

validfedtargetdomain=".abccompany.com"

For more information about the Identity Provider Discovery profile, see the Federation Security Services Guide.