Previous Topic: How Credential Collectors Process RequestsNext Topic: Configure MIME Types for Each Credential Collector


Use Credential Collectors for Authentication and Single Sign-On

A SiteMinder credential collector is an application within the Web Agent that gathers specific user credentials to authenticate a user. The credentials gathered by the credential collector are based on the type of authentication scheme configured for a particular group of protected resources. Credential collectors are used for forms, SSL, and Windows authentication schemes, and for single sign-on across multiple cookie domains.

The following types credential collectors are available:

Forms Credential Collector (FCC)

Gathers credentials based on HTML forms that are presented to the user during an authentication challenge. The forms that the FCC presents are based on templates that have the file extension .fcc. For example, the Web Agent is installed with a form called login.fcc, which you can customize and use for login purposes. This file is written using standard HTML tags and some proprietary notation required by SiteMinder.

Note: When using FCC-based authentication, if a form is presented with empty credentials, a framework Web Agent does not process the request and redirects it back to the originally requested URL, hence causing the framework Web Agent not to send any communication to the policy server. In the case of a traditional Web Agent, the request is processed and sent to the policy server, which then generates an OnAuthAttempt event.

SSL Credential Collector (SCC)

Collects SSL-based credentials (credentials required by SSL-based authentication schemes) such as Basic over SSL or X509 Cert and Basic.

Note: The SCC does not handle X509 Cert and Forms or X509 Cert or Forms. X509 Cert and Forms is handled by the FCC and X509 Cert or Forms is handled by the SFCC.

Cookie Provider (CCC)

Tracks SiteMinder sessions across multiple cookie domains for single sign-on. Unlike other types of credential collectors, the cookie provider does not collect credentials or perform an authentication challenge of the user. The cookie provider is handling credentials; however, in this case, the session is the credential.

Default: SmMakeCookie.ccc

NTLM Credential Collector (NTC)

Gathers NT credentials for resources stored on an IIS Web server and accessed by Internet Explorer browsers. This scheme uses a Windows NT login name and password of a user in place of a challenge for credentials.

SSL Forms Credential Collector (SFCC)

Gathers credentials based on HTML forms (like the FCC) but the SFCC gathers them only for the X509 Cert or Forms authentication schemes.

The forms that the SFCC presents are based on a templates that end in the file extension .sfcc. For example, the Web Agent is installed with a form called login.sfcc, which you can customize and use as a login form.

Kerberos Credential Collector (KCC)

Gathers credentials for Kerberos authentication schemes.

MIME Types for Credential Collectors

Associated with each credential collector is a MIME type. The MIME type indicates which collector presents the authentication challenge when a user requests a resource. The following table shows each type.

Credential Collector

MIME Type

Forms Credential Collector

.fcc

SSL Credential Collector

.scc

Cookie Provider

.ccc

NTLM Credential Collector

.ntc

SSL Forms Credential Collector

.sfcc

Kerberos Credential Collector

.kcc

When you configure an authentication scheme that uses a credential collector, or set up single sign-on across multiple cookie domains, the relevant MIME type is used as a file extension for a file referenced by the authentication scheme or single-sign-on configuration, for example:

The FCC and SFCC are the only credential collectors that require actual files to exist on the web server where the Agent is installed. These collectors are for forms-based authentication schemes. The .fcc and .sfcc templates are required to define the HTML form presented to the user.