Cert and Basic authentication does not challenge for certificate after user self password change.

book

Article ID: 51221

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

When Cert and Basic authentication scheme is used in Siteminder policy server and Password Services self password change (user initiated password change) is used then -
After the password is changed, the user is presented with a screen that confirms the password has changed and then is allowed to go to the target resource without being re-challenged for a user certificate.

Here is the USE CASE to describe the problem:
=======================

  • Sample resource say cert.html is protected by CertAndBasic authentication scheme?
  • When the end user accesses this resource directly from browser, everything works fine. They see the prompt for the cert, then the prompt for the basic dialog box and then Final protected page is displayed.
  • But when the end user has a brand new browser without a SMSESSION cookie. He first accessed an *unprotected* resource that has a link to change their password. This link includes as its TARGET the resource protected by CertAndBasic Authentication scheme (cert.html).


https://etr6511l5sun28.ca.com/siteminderagent/forms/smpwservices.fcc? SMAUTHREASON=34&TARGET=https://etr6511l5sun28.ca.com/509cert/cert.html

At the change password screen the user types their username, old password, new password, and then gets redirected to the TARGET. Instead of being prompted for their cert, they immediately get the resource.

NOTE: The expected result is that you would be redirected for the cert challenge and go through cert authentication. Essentially cert's strong authentication is bypassed in this use case.

This issue occurred because there was no support (in code) exists for user initiated password changes for authentication schemes that include certificate authentication

Solution:

This issue has been fixed in Siteminder Policy server and webagent 6.0-SP6 (for 6.x releases) and R12 SP2 CR1 (for R12 releases). The siteminder Policy server and webagent code has been modified to handle user initiated password changes for authentication schemes that include certificate authentication.

Now the user initiated password change will happen over "https:" instead of "http://"

The new URL's would be:
(FOR FCC Based Password services)
https://<fully qualified domain name>/siteminderagent/forms/smpwservices.fcc? SMAUTHREASON=34&TARGET=

(FOR CGI Based password services)
https://<fully qualified domainame>/siteminderagent/pwcgi/smpwservicescgi.exe?SMAUTHREASON=34 &TARGET=

If the user client certificate is present and target resource is protected through SSL based auth scheme, SSL certificates would also be processed during authentication.

If the user client certificate is present and target resource is not protected through SSL based auth scheme, SSL certificates would not be processed during authentication.

If the user client certificate is NOT present and target resource is protected through SSL based auth scheme, authentication would fail since SSL certificates are not present.

Environment

Release:
Component: SMIIS