Previous Topic: Set Up Credential Collectors for Apache Web ServersNext Topic: Map Agent Identities and Web Servers for Use By FCCs and SCCs


Forms Cache

The forms cache stores form template data. Storing template data improves performance because the agent no longer reads the .fcc files multiple times for the same data. When a resource with an FCC extension is accessed, the FCC reads and processes the corresponding template file. An agent performs hundreds of these read operations each second.

The form cache relieves the FCC by storing form template files in memory where they can be read easily. Because virtual memory access is faster than disk access, allowing FCC components to process forms more quickly with reduced strain on the host server.

The improved processing time increases the capacity of the FCC for serving requests for each web server. Forms authentication becomes more efficient.

Form Cache Data

The data stored in the form cache consists of the form template text, which is parsed beforehand into data structures. These data structures optimize FCC processing.

These data structures include:

Directives, functions, and variables are processed from the top of the FCC file down.

Configure the Form Cache

Forms can be cached to improve performance and reduce unnecessary network traffic. You can control the settings of form cache with the following parameters:

EnableFormCache

Controls the forms template cache. Setting this parameter to yes, improves the performance of forms authentication. To disable the cache, set this parameter to no.

Default: Yes

FormCacheTimeout

Specifies the number of seconds that an object may reside in cache before being considered invalid. When the timeout interval expires, the date and time of the form template file is compared against the time that the cache object was created. If the object in the cache is stored more recently than the file on disk, the timeout is reset for another interval. Otherwise, the object is removed from the cache.

Default: 600

Follow these steps:

  1. Set the value of the EnableFormCache parameter to yes.
  2. If you want to change the timeout interval for the form cache, set the value of the FormCacheTimeout value to the number of seconds you want.

    The form cache is configured.

Disable FCC Realm Context Confirmation to Improve Performance

During forms authentication, the Web Agent makes an IsProtected call to the Policy Server to determine if the requested resource is protected. After this first call, the Web Agent typically makes an additional IsProtected call to the Policy Server. This second call establishes a realm context so that the Web Agent can log a user in with an FCC to access a protected resource. You can control whether the Web Agent makes this additional call using the following parameter:

FCCForceIsProtected

Specifies whether the Web Agent makes an additional IsProtected call to the Policy Server to establish a realm context so that the Web Agent can log a user in to access a protected resource.

When this parameter is set to no, the Web Agent uses the realm information obtained from its initial IsProtected call to the Policy Server instead.

Default: Yes

To improve performance by disabling the FCC realm context confirmation, set the value of the FCCForceIsProtected parameter to no.

Use a Relative Target for Credential Collector Redirects

Optionally, instruct an agent to use a relative URI instead of a fully qualified URL when directing requests to a credential collector and target resource. Using a relative URI prevents credential collectors on other systems with Web Agents from processing requests.

Note: This setting applies to all credential collectors except the cookie credential collector (CCC). The CCC must use a fully-qualified domain name for this parameter. OnAuthAccept responses will not work properly with a CCC if a relative URI is used.

Typically, a fully qualified URL is appended to the credential collector URL. For example:

url?A=1&Target=http://www.nete.com/index.html.

To use only a relative URI, set the TargetAsRelativeURI parameter to yes. If set to yes, the target parameter that is appended to the credential collector URL is a relative target, such as url?A=1&Target=/index.html. In turn, when the credential collector redirects back to the Web Agent protecting the target resource, it is a relative redirect. Also, the Web Agent rejects any target that does not begin with a forward slash (/).

The default value for this parameter is no, so a fully qualified URL is always used.

Define Valid Target Domains

To configure SiteMinder Agents to help protect your resources from phishing attempts that could redirect users to a hostile website, set the following configuration parameter:

ValidTargetDomain

Specifies the domains to which a credential collector is allowed to redirect users. If the domain in the URL does not match the domains set in this parameter, the redirect is denied.

Default: No.

All advanced authentication schemes, including forms credential collectors (FCCs) support this parameter.

The ValidTargetDomain parameter identifies the valid domains for the target during processing. Before the user is redirected, the agent compares the values in the redirect URL against the domains in this parameter. Without this parameter, the agent redirects the user to targets in any domain.

The ValidTargetDomain parameter can include multiple values, one for each valid domain.

For local Web Agent configurations, specify an entry, one entry per line, for each domain, for example:

validtargetdomain=".xyzcompany.com"
validtargetdomain=".abccompany.com"
Enable FCCs and SCCs to Use Agent Names as Fully Qualified Host Names

To enable the forms and SSL credential collectors to use the fully qualified host name of the target URL as an Agent name, define the AgentNamesAreFQHostNames configuration parameter.

For example, if the AgentNamesAreFQHostNames parameter is set to Yes, the www.nete.com portion of the following URL string serves as the Web Agent name:

url?A=1&Target=http://www.nete.com/index.html

The credential collector uses this parameter in the following situations:

If the AgentNamesAreFQHostNames parameter is set to No, the credential collector uses the value of the DefaultAgentName parameter as the name of the target Web Agent.