Symantec Access Management

  • 1.  Multistep login with SecureURLs

    Posted Aug 11, 2017 12:38 PM

    We want to be able to use an external non-FCC based login page to do multistep authentication, using a combination of AJAX requests to get an SMSESSION cookie.

     

    At the end of the steps we want to redirect the user to where they originally wanted to go.

     

    As we are using SecureURLs, so the orginal TARGET is not available to the login page, only the encrypted SMQUERYDATA, and hence at this point we can't redirect the user to the TARGET.

     

    When using an .fcc file as the login page, you can extract the original TARGET URL using the $$TARGET$$ string in the FCC.

     

    Has anyone got any suggestions that would address this?

     

    I had thought of replaying the original SMQUERYDATA that was in the redirect from the original request, along with the SMSESSION cookie to some .fcc file, and hoping to configure the directives so that this resulted in a redirect to the TARGET. Not sure if this approach would work, or which @directive I would need.

     

    As a fallback position we have configured an fcc, but ideally would like this in an HTML file as then the custom's UX people would be able to update it through their content management system.



  • 2.  Re: Multistep login with SecureURLs

    Posted Aug 13, 2017 09:22 PM

    Hi Gary,

     

    You can try saving the target in the cookie by using @save directive like this :

    @save=TARGET

     

    You will need to do this in your first login page where you post user creds.

     

    Tech Tip : CA Single Sign-On : Web Agent : Pre-fill username during step up authentication 

     

    Regards,

    Ujwol



  • 3.  Re: Multistep login with SecureURLs

    Posted Aug 14, 2017 05:35 AM

    Thanks for the suggestion, but I don't think this is going to work as the first FCC that I POST credentials to I will not be passing the SMQUERYDATA from the original request.

     

    I could POST to an FCC with that directive to get the TARGET cookie, but that would need to be another request. I'm also not sure if saving the TARGET as a cookie in this way would circumvent some of the protection given by the SecureURLs feature.



  • 4.  Re: Multistep login with SecureURLs

    Posted Aug 15, 2017 12:33 PM

    I have this exact requirement also. I want the added benefit of using secureURLs, but I have not identified a way to redirect to the target several steps after the post to the FCC. If CA could deploy redirect FCC that could accept an SMSESSION token and the encrypted target that might be a fairly easy solution to implement. I wonder if the agentAPI has anything that can read the encrypted target, decrypt it,  and present it to an application that performs the 302.



  • 5.  Re: Multistep login with SecureURLs

    Posted Aug 15, 2017 02:57 PM

    No, there's nothing in the Agent API unfortunately. 



  • 6.  Re: Multistep login with SecureURLs

    Posted Aug 18, 2017 03:49 AM

    I would also like to know if there's an elegant way of sequencing AJAX requests that anyone has used. Our current attempt is a bit spaghetti-like.



  • 7.  Re: Multistep login with SecureURLs

    Posted Aug 29, 2017 03:08 PM

    One thing we have done which may be of help to others is getting the login.fcc to return a JSON response containing the SMQUERYDATA as a field in the object. Instead of adding HTML after the FCC directives you can add a skeleton JSON object and use the $$ strings to replace parameters.