The SiteMinder Forms Credential Collector (FCC) incorporated into SiteMinder Web Agents reads template files called .fcc files. The .fcc files are written using standard HTML tags and a small amount of proprietary notation required by SiteMinder to verify attributes and take advantage of custom features described later in this section.
Important! If you create or edit an .fcc file on a Windows system and move that file to a UNIX system, your UNIX system may append ^M at the end of lines of text. These characters, which identify the file as a Windows text file, cause .fcc files to fail during authentication. When moving files from Windows text editors to UNIX systems, be sure to examine the files and remove the appended characters. To avoid this situation, create and edit .fcc files that will be used in a UNIX environment on a UNIX system.
For the HTML Forms authentication scheme, the default extension for .fcc files is .fcc. If you want to use a different extension:
When a user requests a resource protected by an HTML Forms scheme, the Web Agent redirects the user to an .fcc file. The .fcc file invokes the FCC on the Web server in order to collect credentials from the user via a customized form. The FCC generates a browser page and builds a user name and password based on the contents of the .fcc file. The file resides in a Web server’s name space and is accessed like any HTML file. The .fcc file may contain two parts. Both parts are optional.
The first part of the FCC contains directives that are used when executing a POST operation on the .fcc file. The directives are never passed to the client. They must be at the beginning of the file and are of the form: @name=value
The name is the name of a variable. The value is the variable’s value. The value may contain strings of the form: %name1%. This will be replaced by the value of the variable associated with name1.
The second part of the .fcc file contains HTML code that is returned when a GET operation is performed on the .fcc file. This part may include text in the form "$$name$$", including the quotation marks (") that will be replaced by the value associated with name. The name is not case sensitive.
The hidden inputs listed in the following figure are used to hold state for the credential collectors:
|
Name |
To dynamically set, use the value:* |
Data preserved |
|---|---|---|
|
target |
"$$target$$" |
Resource that a user wants to access |
|
smauthreason |
"$$smauthreason$$" |
Reason for a login failure |
|
postpreservationdata |
"$$postpreservationdata$$" |
Data that a user submits through a post request. |
|
smagentname |
$$smagentname$$ |
Agent name used for logging user in. |
*Be sure to enter the quotation marks (").
At a minimum, an .fcc file must collect the following:
Important! If users will be submitting post requests to a resource protected by an authentication scheme that uses a credential collector (see the following figure), use the postpreservationdata input. Otherwise, data that users attempt to post to the requested resource will be lost.
|
Schemes |
|---|
|
Basic Over SSL Authentication Schemes |
|
HTML Forms Authentication Schemes |
|
X.509 Client Certificate Authentication Schemes |
|
X.509 Client Certificate and Basic Authentication Schemes |
|
X.509 Certificate or Basic Authentication Schemes |
|
X.509 Client Certificate and HTML Forms Authentication Schemes |
|
X.509 Client Certificate or HTML Forms Authentication Schemes |
The following is an example of a valid (though simple) .fcc file:
The file above is the usermap.fcc sample file included with the default installation of SiteMinder Web Agents.
The .fcc file above creates a distinguished name (DN) for the user based on the information the user enters in the User Name field and the Organization drop-down list of the HTML form. This DN is the user name authentication credential. The user’s password is collected from the Password field of the HTML form. The hidden realm and target input values are also collected so that the user can be directed to the appropriate resource when authentication is complete.
The login.fcc template generates a namespace for use in $$name$$ expansions and for use by special name value pairs. If a name is entered more than once the last value wins. Name/value pairs are added to this namespace in the following order:
An FCC can interpret a number of special name/value pairs (@directives) that invoke nonstandard processing. The special @directives and their meanings follow:
Name for the login user name.
Password to perform the login.
Resource to access after login.
Colon separated list of response names to include in the namespace. The colon separated list must contain an entry for each header that you want to include in a transaction. For example, if you want to pass the value of header1 and header2 as part of a transaction, include the following line in your FCC:
@smheaders=header1:header2
If there is an error on a POST to the custom form, the user browser is redirected to this page. If this special value is not specified in a .fcc file, the system uses the .unauth file that is associated with the .fcc file as the error page.
Specifies the maximum number of login attempts allowed. If you set this directive to 0, the number of retries is unlimited. If you set the number to 1 or greater, that is the number of retries allowed.
Note: If users log in using a POST to an .fcc form, it may appear that the user is given additional attempts to log in beyond the value of the smretries directive. However, the user is allowed access only if valid credentials are entered in the number of attempts that smretries specifies.
Determines whether data is posted from the Password Services FCC file or from a different FCC file.
Default: 1
Important! We recommend that you use the default value. The SafeWord authentication scheme may not work properly if the default value is changed.
Text that describes why the user was challenged / failed to login.
Reason code that is associated with a login failure.
Set to Yes to save user credentials in a persistent cookie on the user browser.
Colon separated list of names to be saved as persistent cookies.
Another name for smsave.
Colon separated list of names to be saved as transient cookies.
Specifies the agent name that is supplied to the Policy Server when a user enters credentials and submits the form for authentication. If the Agent parameter, FCCCompatMode=NO, specify a value using this directive.
Logs a user out of the system, similar to the LogoffUri parameter. By placing @smlogout=true in your .fcc template, the FCC logs a user out and redirect the user to the target. As such, the @smlogout directive is typically used with the @target directive (@target=<yoururlhere>).
Replaced by the URL encoded value of the named variable.
Note: If you expect the additional attributes or the Password to contain special characters (" . & = + ? ; / : @ = , $ %), URL-encode each additional attribute value in the .fcc template file. The template uses US-ASCII encoding.
Replaced by the URL decoded value the named variable.
Note: The “sm” prefix for name/value pairs is reserved for additional special names that the system requires. When creating names for your login page do not use the “sm” prefix.
The .fcc template files include two localization parameters:
Used to determine the language used in the HTML forms that collect user information or display status messages.
The value that is paired with smlocale corresponds to part of the name of a localization properties file. The localization properties file contains IDs mapped to text strings in the specified language.
smlocale values have the following format:
COUNTRY-LANGUAGE
For example, the value for smlocale for United States English is:
SMLOCALE=US-EN
Contains information that tells the browser what language encoding to use. Changing the default value for this variable overrides the encoding set in the following META tag:
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
In addition to the username and password, you can collect additional attributes from users, such as an email address or job title.
To collect additional attributes
Note: If you expect the additional attributes or the Password to contain special characters (" . & = + ? ; / : @ = , $ %), URL-encode each additional attribute value in the .fcc template file. The template uses US-ASCII encoding.
Add the following line at the beginning of the file:
@password=PASSWORD=%PASSWORD%&newattr1=%newattr1%&newattr2=%newattr2%
If the additional attributes have special characters, the line should look like the following sample:
@password=PASSWORD=%urlencode(PASSWORD)%&newattr1%=%urlencode(newattr1)%&newattr2=%urlencode(newattr2)%
Represents the first additional attribute.
Represents the second additional attribute.
The value before the equal sign is the attribute name and the value between the percent sign (%) sign is the attribute value.
The FCC parses the names of the new attributes from the attribute values.
Note: Append additional attributes to the @password directive with the ampersand (&) character.
When you add attributes to the template file, consider the following points:
@password=PASSWORD=%PASSWORD%&mail=%address%
or
@password=PASSWORD=%urlencode(PASSWORD)%&mail=%urlencode(address)%
you would add a line to the .fcc file similar to the following:
<input name=”address” type=”text”>
@password=PASSWORD=%PASSWORD%&mail=%address%
or
@password=PASSWORD=%urlencode(PASSWORD)%&mail=%urlencode(address)%
where mail is the name of the LDAP attribute that stores email addresses.
For example, to add the attribute mail (from the example above) to the authentication scheme, enter the following in the Additional Attributes List field:
AL=PASSWORD,mail
Note: The additional attribute names are case-sensitive.
The default behavior of forms-based authentication is to redirect unauthenticated or unauthorized users back to the original login form. You can configure the smretries directive (@smretries) to provide users with additional login attempts. However, the default behavior does not let you display a message that informs users why the login failed.
The Web Agent ships with the DynamicRetry.fcc and DynamicRetry.unauth files. This pair of .fcc files changes the behavior of the redirect. The login page (DynamicRetry.fcc) is configured to send users to the unauthorized page (DynamicRetry.unauth) after one failed login attempt. The unauthorized page is a different template file than the login file. As a result, the unauthorized page can contain a message stating why the login failed. By default, the unauthorized page is configured with a message that informs users that they have entered invalid credentials for the resource they are attempting to access.
Note: You can change this message by opening DynamicRetry.unauth and updating the text in between the h3 tags.
To tell users why login failed, specify the target path to the DynamicRetry.fcc file when configuring the authentication scheme. The default path to the DynamicRetry.fcc file is agent_home\samples\forms\DynamicRetry.fcc
Specifies the Web Agent installation path.
Consider the following limitations when using the DynamicRetry pair of .fcc files:
Note: You can use this method in combination with Password Services to disable users with a password policy after a specified number of failed attempts. More information about password policies exists in the Password Policies.
|
Copyright © 2012 CA.
All rights reserved.
|
|