search cancel

Why attempting to use WebAgent-OnReject-Redirect responses to deliver login failure messages generally does not work.


Article ID: 53180


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



We configured OnAuthAttempt and OnAuthReject rules and responses. We have WebAgent-OnReject-Redirect responses configured to redirect an error page which is an fcc page located in the forms folder of the SPS. Whenever a user enters a wrong username it is getting redirected to the login.fcc instead of the loginerror.fcc. In the logs it says that the error page is protected.

PS: 6SP5
SPS : 6SP3


Using a WebAgent-OnReject-Redirect response to redirect users to another FCC will generally not work. FCCs require a number of parameters which are dynamically generated and passed on the query string to the FCC. These parameters include values such as SMAGENTNAME and TARGET. Redirection responses from the Policy Server are not easily able to generate these dynamic values. Although it might be possible to hardcode the everything the FCC needs, this is not really a good solution since the values change for each user. The SMAGENTNAME parameter is by default encrypted, which would then require that the value be changed every time a key rollover occurs. The TARGET value would always have to be the same resource.


Component: SMAPC