Issue related to password change

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

We're running a Web Agent and intermittently, when some users try to get the
password changed, the password doesn't get changed.

The Web Agent uses the following pws.fcc file to change the password :

PWS.fcc

    @User=%User%
    @username=%urldecode(User)%
    @smretries=0

    <HTML>
    <HEAD>
    <TITLE>PS REPLY</TITLE>
    </HEAD>
    <BODY>
    </BODY>
    </HTML>

How can we fix that ?

Cause

From mybrowsertraces.har, we've seen that the password value is
partially encoded. It needs to be fully URL encoded as we underlined
in the last message for Siteminder to be able to change the password.

The password value has the + url encoded, but not the last =
characters :

   KoR7iwafgJlASVihtHAb%2BAAAAEAAAABAAAAUgAAAAMAAAADAAAADGQ0Ymkzc2ExdXU4cAAAAAQAAAAMT3Jwb3J0YWwkMDgwAAAABgAAAAIzNA==

It should be URL encoded before reaching the Web Agent as :

   KoR7iwafgJlASVihtHAb%2BwAAAAEAAAABAAAAUgAAAAMAAAADAAAADGQ0Ymkzc2ExdXU4cAAAAAQAAAAMT3Jwb3J0YWwkMDgwAAAABgAAAAIzNA%3D%3D

When you sends a partially urlencoded Password, the Web Agent doesn't
expect such value and as such, it can't change the password. But it
can still give access to the Web Site as User has provided the right
previously a good old password :

mybrowsertraces.har :

We POST the password partially encoded :

        "request": {
          "method": "POST",
          "url": "https://myhost.mydomain.com/myapp/initialchange",
            "text": "{\"oldPassword\":\"dsssdaxcz\",\"newPassword\":\"mynewpassword\",\"newConfirmPassword\":\"mynewpassword\",\"securityQuestion\":\"What was your first bike or car?\",\"securityAnswer\":\"ford\",\"userName\":\"[email protected]\",\"smStatus\":true}"
        "response": {
          "status": 200,
              "name": "cookie",SMSESSION=LPEPQHiS1CwBGb9iO+gZ7QR3PRlzphrVfX4PYVtntVHW
            "text": "{\"encryptedString\":\"KoR7iwafgJlASVihtHAb%2BwAAAAEAAAABAAAAUgAAAAMAAAADAAAADGQ0Ymkzc2ExdXU4cAAAAAQAAAAMT3Jwb3J0YWwkMDgwAAAABgAAAAIzNA==\",\"status\":\"success\"}"

So the request goes with to the Web Agent with a partial urlencoded
password value. Siteminder cannot handle the password change :

        "request": {
          "method": "POST",
          "url": "https://myhost.mydomain.com/myapp/PWS.fcc",
              "name": "SMSESSION",
              "value": "LPEPQHiS1CwBGb9iO+gZ7QR3PRlzphrVfX4PYVtntVHW

But as the request has a valid SMSESSION, so the Web Agent gives
access to the Target page (location):

        "response": {
          "status": 302,
              "name": "location",
              "value": "https://myhost.mydomain.com/myapplication/home"

And the browser can access that page still having the SMSESSION cookie
created by login with the old password. The problem is that the
password isn't changed.

        "request": {
          "method": "GET",
          "url": "https://myhost.mydomain.com/myapplication/home",

              "name": "SMSESSION",
              "value": "LPEPQHiS1CwBGb9iO+gZ7QR3PRlzphrVfX4PYVtntVHW/rwb4iiu73swcx

Environment

Web Agent 12.52SP1CR09 64bit on Linux;
Policy Server 12.8SP3 on RedHat;

Resolution

Ask your development team to insure that the new password value is
"fully" URLEncoded; this is a pre-requiste for the password change
on the Web Agent side;