Previous Topic: Query String Encryption of Redirect URLsNext Topic: Enforce Security with URL Monitoring


Query String Encryption of Redirect URLs and FCC-based Password Services

If you want to encrypt the query strings of redirect URLs, you can only use the FCC-based Password Services; CGI or JSP-based Password Services will not work with encrypted query parameters. If you set the SecureUrls parameter to no, you can use any one of the three Password Services versions.

Note: CGI and JSP Password Services are deprecated as of 5.x QMR 7, but are still supported.

Allow Un-restricted Access to URIs

If you have URIs that you do not want to protect with SiteMinder, you can direct the Web Agent to ignore and allow un-restricted access to those URIs by setting the following parameter:

IgnoreUrl

Specifies a URI within a URL that will not be protected. Users attempting to access the resource associated with the URI will not be challenged. The Web Agent ignores the URI portion of the string after three forward slashes. For example, if you set this parameter to the following value:

http://www.example.com/directory

The Web Agent ignores the following URI:

directory

The Web Agent ignores the specified URI wherever it occurs, even if it is under a different domain. For example, the Web Agent ignores the URI shown previously in all of the following URLs:

http://www.example.com/directory
http://www.example.net/directory
http://www.example.org/directory

Note: This value is case-sensitive.

Default: No default.

Example: (multiple URIs in local configuration file)

IgnoreUrl="http://www.example.com/directory"

IgnoreUrl="http://www.example.com/directory2"

Example: (using a URI only, without specifying a domain)

IgnoreUrl="/resource/"

To allow un-restricted access to URIs, do either of the following tasks:

Resources using the specified URIs are ignored by the Web Agent and access to those resources is granted automatically.

Encrypt Query String Parameters in Redirection URLs

The following parameter enables the Web Agent to encrypt all SiteMinder query parameters in a redirect URL:

SecureURLs

Specifies whether the Web Agent encrypts the SiteMinder query parameters in a redirect URL. You can use this setting to provide additional security for requested resources protected by an advanced authentication scheme, Password Services, or when a request invokes the Cookie Provider.

Important! The Web Agent only encrypts data sent between SiteMinder components. The data sent for redirects to non-SiteMinder applications is not encrypted.

The following SiteMinder credential collectors and applications support the SecureUrls functionality:

Default: No

Follow these steps:

  1. Set the value of the SecureURLs parameter to yes.
  2. To encrypt query string parameters in redirection URLs within a single sign-on environment, ensure that all Web Agents in the single sign-on environment have the SecureURL parameter set to the same value.
  3. If you are using custom FCCs, add the smquerydata directive with the other FCC directives (such as TARGET) to the custom FCC.

    Query string parameters are encrypted in SiteMinder redirection URLs.

Set a Maximum URL Size

You can increase the maximum URL size that a Web Agent can handle with the following parameter:

MaxUrlSize

Specifies the maximum size (in bytes) of a URL that a Web Agent can handle. Because different web servers have different limitations on URL length, check the documentation from your web server vendor before setting this parameter.

Default: 4096 B

To change the maximum URL size, change the number of bytes specified in the MaxUrlSize parameter.