Previous Topic: How to Link a Client Certificate to a Session (UNIX)Next Topic: How Response Attributes Work with Web Agents


Web Application Protection

This section contains the following topics:

Mechanisms for Developing Web Applications

REMOTE_USER Variable

How Response Attributes Work with Web Agents

CA SiteMinder® Default HTTP Headers

Mechanisms for Developing Web Applications

CA SiteMinder® provides the following methods for protecting web applications:

REMOTE_USER Variable

The REMOTE_USER variable holds the name of the user authenticated by the web server. When the agent is installed on a web server, CA SiteMinder® replaces the native authentication of the web server. The REMOTE_USER variable is blank.

If your applications use the REMOTE_USER variable, then set REMOTE_USER variable is set.

If your web server does not use the REMOTE_USER variable, the HTTP_SM_USER header provides an alternate method of passing a user name to an application.

More Information

Configure the Web Agent to set the REMOTE_USER Variable

Configure the Web Agent to set the REMOTE_USER Variable

Configure the Web Agent to set the REMOTE_USER variable as follows:

Note: Be sure to take security consequences into consideration before configuring SetRemoteUser or RemoteUserVar.

IIS Web Servers and the REMOTE_USER Variable

Your IIS web server requires basic authentication to use the REMOTE_USER variable with CA SiteMinder®.

When Basic authentication is enabled and a user requests a CA SiteMinder®-protected resource, the agent attempts to set the HTTP_Authorization header of the IIS web server with a user name only. Not with a password.

The Basic authentication mechanism of the IIS web server takes precedence over any other authentication challenge when an HTTP_Authorization header is used. Therefore, the IIS web server thinks that the user is responding to its own challenge.

If your agent operates as an ISAPI filter (using the Classic Pipeline mode for IIS), the agent does the following tasks:

The Agent populates the REMOTE_USER header when the value of the SetRemoteUser parameter is yes and any of the following settings are used:

Be cautious when using the SetRemoteUser parameter and the UseAnonAccess parameter together.

The following table shows how these parameters work together:

If these parameters are set as follows:

Then this result occurs...

SetRemoteUser=yes

UseAnonAccess=yes

The REMOTE_USER variable cannot be set because the agent does not pass along a user security context.

The lack of a user security context forces the IIS web server to use the credentials from the HTTP_Authorization header that the agent modified. But this header is incomplete because it only contains the user name.

SetRemoteUser=yes

UseAnonAccess=no

The agent can pass along a user context of some type, depending on how other parameters are set, such as DefaultUserName, DefaultPassword, or ForceIISProxyUser.

If the agent passes a security context to the IIS web server, then the IIS web server uses the credentials of the agent. The IIS web server ignores the incomplete HTTP_Authorization header.