Previous Topic: Basic .fcc Requirements for ImpersonationNext Topic: Obtain the Session Specification using an FCC

Policy Server GuidesPolicy Server Configuration GuideImpersonationPolicy Server Objects for ImpersonationEnable Impersonation through an .fcc FileFCC Directives for Impersonation

FCC Directives for Impersonation

When constructing an .fcc file for impersonation, the following directives should be used in the file:

@logout

This directive logs the user out of CA SiteMinder® and removes the SMSESSION cookie.

@smheaders

This directive adds HTTP request headers to the FCC namespace. For impersonation, this directive provides the contents of the session specification header, SMSERVERSESSIONSPEC (or SM_SERVERSESSIONSPEC; see Note about SMSERVERSESSIONSPEC and LegacyVariables), to the FCC namespace so that it is available for use as a password.

@smpushsession

This directive allows a user to “impersonate” another user and then return to the original session. This directive must be set to "true".

@smpopsession

This directive returns to the original session after @smpushsession has been used. This setting must be set to "true".

@smredirect

This directive redirects requests to the specified target.

@target

This directive tells the FCC where to redirect to after processing a URL.

@password

This directive specifies what the contents of the password to be passed to the Policy Server.

@smaltcreds

Allows custom authentication schemes to send credentials larger than 4KB.This may be used in the same manner that the @password directive is used. When credentials are posted to an FCC using @smaltcreds, its value is sent to the Policy server during login as a byte buffer avoiding the password field which is restricted to 4k bytes. The @smaltcreds directive may not be used with existing out-of-the box authentication schemes, but it may be used for custom authentication. Developers of custom authentication schemes must code their authentication scheme libraries to look for the @smaltcreds credentials in the lpszCertBinary field of the user credential struct passed through the Agent API during login.

@username

This directive specifies the username to be passed to the Policy Server.

% and $ replacement functionality

The "%" and "$$" functionality is used for data replacement similar to scalar variables in Perl. "%NAME%" is used to replace "NAME" with the data associated with "NAME" on a post. "$$NAME$$" is used to replace "NAME" with the data associated with "NAME" on a get.