Symantec Access Management

  • 1.  Can we add custom attribute to login.fcc

    Posted Jan 19, 2017 11:54 AM

    Siteminder 12.52 SP1
    OS : Windows2008
    Working on Social media Facebook authentication using Oauth 2.0
    Can we add custom attribute to login.fcc and consume that attribute in policy. say if customer is coming from Facebook I will use the attribute to Yes/No. I will check the domain policy for the user if NO redirect to STEPUP page if YES it will land to End App.



  • 2.  Re: Can we add custom attribute to login.fcc

    Posted Jan 19, 2017 01:27 PM

    Similar questions posted on Community.
    Pass custom data to fcc 

     

    I have created an attribute called xyz, which will be encapsulated on the browser. need more information on this logic



  • 3.  Re: Can we add custom attribute to login.fcc

    Posted Jan 19, 2017 01:43 PM


  • 4.  Re: Can we add custom attribute to login.fcc

    Posted Jan 19, 2017 06:13 PM

    Ujwol,

    Thank you for the link, I am not looking to create the attribute but want to create the directive for the attribute in login.fcc. Browser will be looking for specific value if value exist sends user to app if not ask for step up authentication.
    going forward I want to use that directive.



  • 5.  Re: Can we add custom attribute to login.fcc

    Posted Jan 19, 2017 11:15 PM

    You cannot create directive for custom attributes.

    I believe when you said you have created attribute called XYZ, you meant, this is one form attribute in the login.fcc ?

     

    The list of available directives are fixed and predefined. Some example of directives are :

     

    • @logout
      This directive logs the user out of CA Single Sign-On and removes the SMSESSION cookie.
    • @smheaders
      This directive adds HTTP request headers to the FCC namespace. For impersonation, this directive provides the contents of the session specification header, SMSERVERSESSIONSPEC (or SM_SERVERSESSIONSPEC; see Note about SMSERVERSESSIONSPEC and LegacyVariables), to the FCC namespace so that it is available for use as a password.
    • @smpushsession
      This directive allows a user to “impersonate” another user and then return to the original session. This directive must be set to "true".
    • @smpopsession
      This directive returns to the original session after @smpushsession has been used. This setting must be set to "true".
    • @smredirect
      This directive redirects requests to the specified target.
    • @target
      This directive tells the FCC where to redirect to after processing a URL.
    • @password
      This directive specifies the contents of the password to be passed to the Policy Server.

    If your requirement is just to save the value for the this custom XYZ attribute for that session, then you can probably use @save directive to instruct web agent to save it in the cookie.

     

    You can then later use it on the subsequent client side code by accessing the cookie.

    Sample is here :

    Tech Tip : CA Single Sign-On : Web Agent : Pre-fill username during step up authentication 



  • 6.  Re: Can we add custom attribute to login.fcc

    Posted Jan 20, 2017 10:17 AM

    Ujwol,

    The above information really helps, but is there a best way to get the browser cookie to domain policies.



  • 7.  Re: Can we add custom attribute to login.fcc

    Posted Jan 20, 2017 10:53 AM
    Ujwol,

     

    Our current Login page is customized to .aspx page, submits action to login.fcc

    Now want to implement a step-up page controlled by .aspx so the flow will be something like this

    Read cookie from browser if not present the redirect to step up page otherwise to app

     

    Solution we are thinking of :

    Customize .fcc with either directive [cookie] or concat with @password

    Question 1: can we read cookie from browser on login.fcc?
    Question 2: if yes, how can we use that in domain policy to redirect on AuthAccept ?
    Question 3: Can we use SP initiated Fed with #2 ?
    Question 4: if No, what is the alternative ?

     

    Thanks



  • 8.  Re: Can we add custom attribute to login.fcc

    Posted Jan 22, 2017 08:34 PM

    Question 1: can we read cookie from browser on login.fcc?

    Ujwol => YES, you can read the cookie in login.fcc. Sample on how to do this is on the KB that I provided earlier :

    Tech Tip : CA Single Sign-On : Web Agent : Pre-fill username during step up authentication 


    Question 2: if yes, how can we use that in domain policy to redirect on AuthAccept ?

    Ujwol => No, the cookies are available only at the web server level, they aren't available for Policy server.

    If you want to access this at the server side, you should look at FORM POST VARIABLE with which you can SAVE the custom attribute during login in the Variable which can be later used in the User Policy 


    Question 3: Can we use SP initiated Fed with #2 ?

    Ujwol => Please clarify on this .


    Question 4: if No, what is the alternative ?

    Ujwol => Think we already discussed couple of alternatives here.