Symantec Access Management

Hello,

I'm working in a response configuration which I want to use to manage the authentication failures (wrong password, user not found, access denied, etc.)

In my desing, I have a login page deployed at a non protected zone.
This page posts the user credentials to siteminders fcc page "forms/login.fcc".

If the credentials are OK, Siteminder redirects me to my service page (deployed in the protected zone) - this is my "happy path" and it is working just fine.

However, when the authentication fails, I'm redirected to my login page (non protected zone) and I want to consume the response added on the OnAuthAttempt / OnAccesReject / OnAuthReject events. Until now, the only way I managed to make it work was using a cookie variable (WebAgent-HTTP-Cookie-Variable) - but I dont want to use cookies.

In my desing, I was hoping to use a WebAgent-HTTP-Header-Variable (or maybe a WebAgent-HTTP-Authentication-Variable) to do it. But for an unknown reason, this values never gets back to my page at the non protected zone.

I was hoping to get your advise about :
* why this approach is not working? Am I able retrieve a header response attribut in a non protected zone?
* what would be the best practice (according to CA) to return a code or the raison of the failure to my login page? By the way, the variable SM_AUTHREASON always returns 0 even when the authentification fails.

PS 1 : I checked the smtracelog and I can clearly see that the response was activated and the values were added ... I just can't see them neither in the http response context, nor in the http request context.

PS 2 : I've also tried to work on the approach described on this link, and it also didn't work : https://communities.ca.com/thread/241737436

Hubert Dennis @ Chad_Phillips sur 22 août 2015 23:45

Best regards,
Marcos

Can you try this:

1. Change the login page to protected.

2. Protect the login page with anonymous auth scheme and assign access to all users 

I am sure we should get header / cookie response we create for onAuthReject / onAuthAttempt rules. Did you check if you have associated the response object you have created to the correct rule(s) (onAuthReject / on AuthAttempt rules) in the policy object.

How are you trying to read these headers in your login page ? You should be able to read the header with the below line in java / jsp.

String header_name = request.getHeader("HeaderName");

You can also try to test it with SM Test Tool to see if you are getting the headers for the auth reject / auth attempt scenarios.

The value of the SM_AUTHREASON depends on the user state. You will get 0 as the response for the invalid login attempt and you will get 24 when the user account is locked. etc.

I hope this helps.

Thanks,

Gopi.

Hi ujwols,

I already tried that, and it didn't work as well.

=(

GopiReddyIrala

Yep, I'm sure the responses are ok ... I added a static value to a cookie variable (HQCodeE) in the same response to be sure that it was really activated. I can read the cookie but not the header variable.

I also checked the smtracedefault.log and I can clearly see the values been added to the response, look :

[AuthenticateUser][User 'RCEM005_test-siteminder' is not authenticated by Policy Server.]
[ProcessResponses][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]
[CSmHttpPlugin::ProcessResponses][Processing Authentication responses.]
[CSmHttpPlugin::ProcessResponses][Processing LoginResponse, SmNo skipped]
[CSmHttpPlugin::ProcessResponses][Setting custom HTTP header variable: 'HTTP_variablesession=test']
[CSmHttpPlugin::ProcessResponses][Setting custom HTTP cookie: 'HQCodeE=2' from Policy Server]

In this particular case, I'm reading all the header content (on my server side code) and showing the result in my asp.net page.This is what I can read from my http context content :

Header Request Cache-Control = no-cache
Header Request Connection = Keep-Alive
Header Request Content-Length = 0
Header Request Accept = text/html, application/xhtml+xml, */*
Header Request Accept-Encoding = gzip, deflate
Header Request Accept-Language = fr-CA
Header Request Cookie = Langue=F; ASP.NET_SessionId=kaddnxju2lcsorp0aioqzp3j; LogonXP=RCEM005; Service=TWATH; FWK2015_SessionID=kaddnxju2lcsorp0aioqzp3j;
Header Request Host = XXXXXXXXXXXXXX:95
Header Request Referer = https://************
Header Request User-Agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Header Request SM_USERDN =
Header Request DNT = 1
Header Request SM_SDOMAIN = .xxxxxxx.xx
Header Request SM_AUTHTYPE = Not Protected
Header Request SM_TRANSACTIONID = ea2b143c-740c6681-198ee098-311e175a-472c95ce-f08
Header Request SM_USER =
Header Request X-Forwarded-for = ***.XX.***.XX
Header Request Forwarded = by=***.XX.***.XX;for=***.XX.***.XX;proto=https;host=***.xxxxxxx.xx
Header Response Server = Microsoft-IIS/8.5
Header Response Set-Cookie = Langue=F; path=/; secure; HttpOnly
Header Response X-AspNetMvc-Version = 5.2
Cookies Langue = F
Cookies ASP.NET_SessionId = kaddnxju2lcsorp0aioqzp3j
Cookies LogonXP = RCEM005
Cookies Service = TWATH
Cookies FWK2015_SessionID = kaddnxju2lcsorp0aioqzp3j
Cookies HQCodeE = 2
Cookies SMTRYNO = 1
Cookies Langue = F
Cookies Service = TWATH
Session KX.StockageContexte=KX.Noyau.Navigation.ContexteUtilisateur

What is the name of the header ? is it HTTP_variablesession ? Remove the underscore and test.

You can have the header name like httpvariablesession and try and let me know.

Hello GopiReddyIrala,

Yes, in this particular case I named it as "variablesession" (WebAgent-HTTP-Header-Variable , variablesession=test) where "test" is a static value (just for tests purposes).

while reading the headers variables, I dont call them by it's names .. I just loop throught the whole collection and then I print it's name and it's value.