Symantec Access Management

Just wanted to see if anyone had any ideas or have done this before.

If I have some login.fcc files out there they will accept username + password POST data so long as the agent name, user, password is passed to it properly. Is there a good way, built-in or easily customized, to have CA SSO verify some additional parameter that only certain credential collectors would know?

Basically I want to restrict it from processing any POST request that didn't originate from a specific set of credential collector agents. If it got one from some other agent, it would deny it. I can't rely on the agent name, because that's not really a protected value in any way so not like it is hard to find a good one and just use that.

Preferably without a custom authentication scheme.

Hopefully that made sense. Anyone know if that is possible using the FCC files?

Is anyone able to assist further with this users question?

Thank you

Good Call!

If  CA  doesn't have  this built in i would love to support  this as an  Idea. sounds like  a solid security feature to add.

Interesting question, but why do you want this exactly?  Generally I think there is more concern about the target than the source and there are parameters for restricting the target.

This could be done in with a custom auth scheme.  You could include a encrypted and/or digitally signed token from the login page and validate it in the auth scheme.  Alternatively you could do something like this with the secure proxy server using a custom filter.

Our customer wants to ensure that the only POST data that is processed came from an authorized credential collector. Basically it's tough to enforce technical controls over requiring someone use a centralized credential collector if all they have to do is post creds to the login.fcc (process/procedure controls only go so far). So long as they do that POST, then it processes the request.

The first idea you mention on the token is what I had kind of been leaning toward, but was hoping to do without custom auth scheme - which doesn't appear to be possible (I'm not a dev so have to either do OOTB / configs or wait for resource availability ).

Hadn't thought of using the SPS. What kind of filter were you thinking? A little new to SPS over here other than using the AuthN/AuthZ Web Services.

If your FCC page is behind SPS you could create a custom filter that inspects the requests and rejects them if they are not what you expect.  It's still custom Java code, so you're probably better off using a custom auth scheme IMO.

First, SSO Service Owner controls what Auth Schemes get created.  Only authorized auth schemes using authorized creds collector are allowed.  Make it Company Policy with violations a terminable offense.  This will stop 99.99%.

If someone wants to try it own their own anyway, you could remove ".fcc" from the IgnoreExt parameter for all non-official creds collector ACO's.

Workaround to that is put the .fcc in an unprotected realm.  Again, the SSO Service Owner controls this or should at least aware of it.

Lastly, monitor the policy server trace log for occurrences of IsProtected for .fcc resources for non-official CC agents.  If found, see above Company Policy.