Previous Topic: Preserve Data Posted to a FormNext Topic: How to use Forms with ACE Authentication


Modify the .fcc File for Forms POST Preservation

You may have forms that obtain credentials from SiteMinder releases prior to v5.0. To preserve data during a POST, add the following line to the .fcc form template that is presented when a user tries to access the resource:

<input type=hidden name=postpreservationdata value="$$postpreservationdata$$">

Note: POST preservation is not supported with CGI and Perl based Password Services, ACE authentication, or any custom authentication scheme that posts to an FCC.

Enable Post Preservation between Framework and Traditional Agents

Framework Agents handle POST preservation data differently than Traditional Agents do. If your SiteMinder environment uses a combination of Framework and Traditional agents, and resources hosted by one type of Agent are protected by Forms Credential Collectors (FCCs) hosted on the other type of agent, you must specify the proper template file with the following parameter:

PostPreservationFile

Enables the transfer of POST preservation data between Traditional and Framework Agents by specifying the path to one of the following POST-preservation-template files:

Default: No default

Example: web_agent_home/samples/forms/fw2tr.pptemplate

To enable post preservation between Framework and Traditional agents

  1. Determine which resources are protected by FCCs running on a different type of Agent.
    1. Create a list of Traditional Agents hosting resources that are protected by FCCs running on Framework Agents.
    2. Create a list of Framework Agents hosting resources that are protected by FCCs running on Traditional Agents.
  2. For any traditional Agents hosting resources (those you listed previously in step 1a), set the value of the PostPreservationFile parameter to the path of the tr2fw.pptemplate file.
  3. For any Framework Agents hosting resources (those you listed previously in step 1b), set the value of the PostPreservationFile parameter to the path of the fw2tr.pptemplate file.
  4. For all of your Framework Web Agents that communicate with Traditional Agents, set the value of the following parameter to yes:
    LegacyPostPreservationEncoding

    Specifies whether the Web Agent encodes any POST preservation data in a way that is compatible with the older, Traditional, Web Agents, or with the newer, Framework Web Agents. When the value of this parameter is set to yes, the encoding is compatible with the Traditional Web Agents. When the value of this parameter is set to no, the encoding is compatible only with the Framework Web Agents.

    Default: No

  5. Restart the web servers hosting your resources.

    POST preservation is between Framework and Traditional agents is enabled.

More information:

Types of Web Agents (Traditional and Framework)

Customize the POST Preservation Page

When a timeout or other interruption occurs during a POST operation, the POST preservation page is displayed. In most cases, the POST preservation page appears for less than a second. However, the Post Preservation page can be displayed for as long as 5 seconds when the amount of form data being posted is large.

By default, the POST preservation page displays the following text:

This page is used to hold your data while you are being authorized for your request. You will be forwarded to continue the authorization process. If this does not happen automatically, please click the Continue button below.

The POST preservation page also displays a Continue button that allows the user to repost the data to the application.

To customize the POST preservation page, create a POST preservation template file.

The general structure of the default page is as follows:

<HTML><HEAD><TITLE></TITLE></HEAD><BODY onLoad="document.AUTOSUBMIT.submit();">
This page is used to hold your data while you are being authorized for your request.<BR><BR>
You will be forwarded to continue the authorization process. If this does not happen automatically, please click the Continue button below.
<FORM NAME="AUTOSUBMIT" METHOD="POST" ACTION="$$smpostlocation$$">
<$$smpostdata$$>
<INPUT TYPE="SUBMIT" VALUE="Continue">
</FORM></BODY></HTML>

The POST preservation template must include the following two elements which the Web Agent expands when rendering the POST preservation page:

$$smpostlocation$$

Expanded to the credential collector URL during the first phase of POST preservation. Expanded to the protected resource URL during the second phase of POST preservation.

$$smpostdata$$

Expanded to contain HTML which results in the correct form data being posted to either location respective to the phase of POST preservation.

Do not remove or alter these elements.

However, you can change other elements. For example, to remove the Continue button, remove the <INPUT> element that defines that button:

<INPUT TYPE="SUBMIT" VALUE="Continue">

Two sample POST preservation template files, fw2tr.pptemplate and tr2fw.pptemplate, are included in the following location:

To configure the Web Agent to use your POST preservation template file, define the PostPreservationFile agent configuration parameter to specify the path of the template file.
For example:

PostPreservationFile="/app/netegrity/webagent/samples_default/forms/nosubmitbutton.pptemplate" 
Disable POST Preservation

If you do not need to use POST preservation, you may disable it with the following parameter:

PreservePostData

Specifies whether the Web Agent preserves POST data when redirecting requests. When the user is challenged for advanced authentication, such as forms or certificate authentication, the post data is preserved during the authentication phase.

Default: Yes

To disable POST preservation, set the value of the PreservePostData parameter to no.

Use the safeword.fcc File for SafeWord Forms Authentication

The Policy Server can authenticate users against a SafeWord authentication server, including users who are logging in via SafeWord hardware tokens.

One of the prerequisites for using the SafeWord forms-based authentication scheme is to have a customized safeword.fcc file residing on a web server where the SiteMinder Web Agent is installed. This web server must be in the cookie domain in which you implement HTML Forms authentication.

The safeword.fcc file defines the forms that a user sees during SafeWord authentication. Depending on the value of the authentication code sent by the Policy Server to the credential collector, the form that the user is asked to fill out changes. In the safeword.fcc file you can see the different text for each authentication code, as indicated by the directive smauthreason.

To customize the safeword.fcc file for your enterprise, you can modify the HTML layout of the form but not the type of credentials that the user must provide for a particular form. You may also want to modify the form logo. The file uses ISO-8859-1 encoding.

The sample safeword.fcc file is located in the directory:

web_agent_home/Samples/Forms

Note: For more information, see the Policy Server documentation.

Use a Special Forms Template for Passport Authentication

Beginning with Web Agent 5.x QMR1, n FCC file named loginusername.fcc was provided for use with the Passport authentication scheme. If you configure SiteMinder to use this form, when a user requests a protected resource, SiteMinder will:

  1. Recognize a signed-in Passport user as a mapped user from the SiteMinder user directory.
  2. Present the form, which:

To use the loginusername.fcc file:

  1. Edit the value of the IgnoreExt Web Agent parameter by removing the .fcc entry from the list of extensions that the Agent should ignore.
  2. Protect loginusername.fcc, using the Passport (Custom) authentication scheme.

    Note: For more information, see the Policy Server documentation.

  3. For each realm protected by the Passport authentication scheme, create a response on the Policy Server. For each response, configure a Web Agent response attribute as follows:
    1. Select WebAgent-HTTP-Header-Variable from the Attribute drop-down list.
    2. Select the User Attribute radio button from the Attribute Kind group box.
    3. In the Attribute Name field, enter the name of the user directory attribute that corresponds to the user name or user id. For example, if an LDAP directory contains the users that are mapped to Passport holders, enter uid.
    4. In the Variable Name field, enter a name for the response variable, such LDAPUID.

      Note: For more information, see the Policy Server documentation.

  4. Edit the loginusername.fcc form to reflect the Variable Name value. Continuing with this example, the variable name is LDAPUID.

You can add these advanced features to the Agent configuration file or an Agent Configuration Object.