Continuation of 20100136- Target's cookieDomain and agent configured cookieDomai

book

Article ID: 143419

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Web Agent as a login server and we'd like to know :

1. Only setting FccCompatMode=NO in ACO of agent which is used for
   login (authentication server basically) will redirect to
   TARGET. There is no other parameter dependency ?

2. It is mentioned that 4.x agent is not compatible. Does this mean
   against login server/authentication server we cant [sic] create 4.x
   agent ?

 

Environment

 

Web Agent 12.52SP1CR09 on Apache 2.4 on RedHat 6;

 

Resolution

 

At first glance, 

1. When FccCompatMode is set to no, you have to take care of
   AgentName, DefaultAgentName and AgentNamesAreFQHostNames ACO
   parameter doesn't depend on other ACO parameter;
   
   ref.: 

   Using Credential Collectors Between 4.x Type and Newer Type Agents
   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/web-agent-configuration/forms-authentication/using-credential-collectors-between-4-x-type-and-newer-type-agents.html

2. That doesn't mean that you can use 4.x Agent with the login
   server. It does only mean that when login in .fcc or .ntc
   authentication scheme there will be some limitation as described in
   documentation :

   Using Credential Collectors Between 4.x Type and Newer Type Agents

     To process requests, the FCC and NTC rely on the user credentials
     and the name of the Web Agent that is protecting the requested
     resource. However, 4.x agents and third-party agents posting to the
     FCC and NTC do not pass the Agent name on the URL they send.
     
     [...]

     When the FCCCompatMode parameter is set to No, compatibility with
     4.x Agents is disabled. In a homogeneous product environment, set
     the value of the parameter to no.

     Specify Agent name mappings FCC only: If you disable backward
     compatibility, map the AgentName parameter to the name and IP
     address of each host using that FCC for its protected
     resources. Set up these mappings in the configuration settings of
     the FCC.

     [...]

     Use Host Names as Agent Names FCC only: If the first two options
     in the algorithm are not optimal, you can set the value of the
     AgentNamesAreFQHostNames parameter to yes. This setting instructs
     the FCC to use the fully qualified host name in the target URL as
     the Agent name.

     [...]

   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/web-agent-configuration/forms-authentication/using-credential-collectors-between-4-x-type-and-newer-type-agents.html