Previous Topic: Export the Web Server Certificate to your smkey DatabaseNext Topic: Track User Activities

Web Agent GuidesWeb Agent Configuration GuideManage User Access with IISValidate the Domains of Error PagesConfigure an FCC Template for an Information Card Authentication Scheme

Configure an FCC Template for an Information Card Authentication Scheme

The SiteMinder Web Agent includes a Forms Credential Collector (FCC) template that you can use to implement an ICAS in SiteMinder.

To configure the FCC template for an Information Card Authentication Scheme

  1. Open the following default FCC file with a text editor: 
    web_agent_home\samples_default\forms\InfoCard.fcc
  2. Save a copy of the file to the following directory (this preserves the default FCC settings in case you need them later): 
    web_agent_home\samples\forms\
  3. Record the following information from your copy of the FCC file:

    Important! The Policy Server needs this information for its configuration.

  4. (Optional) Use the text editor to make any of the following changes in copy of the FCC file.

Disable Windows Security Context on Agents for IIS

The SiteMinder Policy Server obtains the Windows security context from the session of the user. In most situations, this environment is acceptable for single-sign on because the session information is available to all agents.

The following situation provides an example of a situation where different settings are required for single-sign on:

This situation is shown in the following illustration:

Diagram showing how to disable the windows security context on a per-agent basis to allow single singn on between environments that use windows security context and those that do not

To permit SSO between a Windows domain using Windows security context and a Windows workgroup not using Windowssecurity context, set the following parameter:

DisableWindowsSecurityContext

Disables the Windows security context for the agent. When the value of this parameter is yes, the agent ignores the Windows security context of the user. When the value of this parameter is false or no, the agent uses the Windows security context contained in the session of the user. This parameter allows single-sign on between Windows environments which use the security context Windows environments that do not.

Default: False

Limits: Yes, No

How to Control When SiteMinder Agents Process Cookies

SiteMinder Agents for IIS support the Application Request Routing (ARR) feature that IIS 7.x web servers offer. ARR operates on a Microsoft IIS web server similar to the reverse proxy server feature provided by other web server vendors besides Microsoft.

All SiteMinder agents process cookies. Control when the cookie processing occurs in situations where all of the following conditions exist:

Controlling when the agent processes the cookie maintains security by enforcing SiteMinder protection levels.

Certain deployments of SiteMinder agents require that the SiteMinder cookie processing at a particular point in a transaction. All SiteMinder agents use and process cookies. Some circumstances require processing a cookie earlier in a transaction. Other circumstances require processing a cookie later. Processing cookies at the proper time verifies that SiteMinder properly protects your resources.

Important! Processing cookies at the wrong time affects protection levels. The additional processing that the ARR feature performs requires changing the relative time at which the SiteMinder agent processes the cookie.

The following illustration shows how an agent owner controls when the SiteMinder agent processes cookies:

This workflow shows how to control when SiteMinder Agents Process Cookies

To control when SiteMinder agents process cookies, do one of the following procedures:

Open the Administrative UI

Open the Administrative UI to change SiteMinder objects on your Policy Server.

Follow these steps:

  1. Open the following URL in a browser. 
    http://host:port_number/iam/siteminder/adminui
    host

    Specifies the fully qualified Administrative UI host system name.

    port

    Specifies the port on which the application server, which is hosting the Administrative UI, is listening. If you installed the Administrative UI using the stand–alone option, enter 8080.

    Example: http://somehost@example.com:8080/iam/siteminder/adminui

    The SiteMinder Administrative UI login screen appears.

  2. Enter your SiteMinder superuser name in the User Name field.
  3. Enter the SiteMinder superuser account password in the Password field.
  4. Verify that the proper server name or IP address appears in the Server drop-down list.
  5. Click Log In.

    The Administrative UI opens.

After you open the SiteMinder Administrative UI, use the procedure in the next section to modify your agent configuration object.

Change the Value of the EarlyCookieCommit Parameter in your Agent Configuration Object

Central configuration stores the parameters settings for your agent on the Policy Server. For agents using central configuration, modify your agent configuration object to change any parameter settings.

Follow these steps:

  1. From the Administrative UI, click Infrastructure, Agent Configuration, Modify Agent Configuration.

    A list of Agent Configuration objects appears.

  2. Click the button of the Agent Configuration Object you want, and then click Select.

    The Modify Agent Configuration dialog appears.

  3. Click the edit icon to the left of the following parameter:
    EarlyCookieCommit

    Specifies if cookies are set at an early point during processing or at a later point. Set the value of this parameter to yes when all of the following conditions exist:

    • The IIS web server uses Application request routing (ARR).
    • The value of the FCCCompatMode parameter is yes.

    Set the value of this parameter to yes to preserve the behavior of earlier SiteMinder agents for any custom applications early cookie processing.

    Limits: Agents for IIS 7.x only.

    Default: No (cookies are set later).

  4. Click the value field, and then change the value of the previous parameter to yes.
  5. Click OK.
  6. Click Submit.

    A confirmation message appears.

Change the Value of the EarlyCookieCommit Parameter in your Local Configuration File

Local configuration stores the parameters settings for your agent in a configuration file on your web server. For agents using local configuration, modify this local configuration file to change any parameter settings.

Follow these steps:

  1. Locate the LocalConfig.conf file on your web server. Use the examples in the following list to locate the file on your type of web server:
    IIS web server

    web_agent_home\bin\IIS

    Oracle iPlanet web server

    Oracle_iPlanet_home/https-hostname/config

    Apache web server

    Apache_home/conf

  2. Open your LocalConfig.conf file with a text editor.
  3. Locate the following parameter:
    EarlyCookieCommit

    Specifies if cookies are set at an early point during processing or at a later point. Set the value of this parameter to yes when all of the following conditions exist:

    • The IIS web server uses Application request routing (ARR).
    • The value of the FCCCompatMode parameter is yes.

    Set the value of this parameter to yes to preserve the behavior of earlier SiteMinder agents for any custom applications early cookie processing.

    Limits: Agents for IIS 7.x only.

    Default: No (cookies are set later).

  4. Change the value after the equal sign to yes.
  5. Save and close the local configuration file.