Password Change Policy When fcccompatmode is set to yes

Article Id: 76081
Status: Published
Updated On: 11-04-2018 02:56
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) , AXIOMATICS POLICY SERVER , CA Single Sign On SOA Security Manager (SiteMinder) , CA Single Sign-On , CA Single Sign-On
Issue/Introduction:

We experienced the following behavior, testing the password policy when fcccompatmode=yes: 

1) We set the user status to change the password at next login; 

2) We login using the standard login.fcc, using the user credentials; 

3) After login the browser is redirected to the smpwservices.fcc; 

4) We post the WRONG password in the old password field; 

Instead of remaining on the smpwservices.fcc page with an error message the browser is redirected to the login.fcc without 
any message; 

In term of user experience, the user does not know if the password was changed or not. 

This only happens when fcccompatmode=yes 

Cause:

Basically, formcred cookie is created after entering the credentials. 

On a POST to an FCC the FCC will generate a number of cookies. This includes the FORMSCRED cookie which is created when FCCCompatMode is set to the value YES. 

This cookies represents the old way of doing forms login and should be considered deprecated. The functionality only exists today to provide backwards compatibility with older SiteMinder installations.

Environment:

PS 12.6.1 - Policy Store & User Store on CA directory - on Red Hat 
CA Gateway 12.6.1 

Resolution:

In order to resolve the use case cred collector should be different WA where FCCCOMPAT MODE=NO