How to Pre-fill username during step up authentication

book

Article ID: 9885

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

In this guide we will see how to pre-fill the username field during second challenge in step up authentication.

 

Conditions:

  • Both low level and high level authentication scheme is using HTML Form Authentication scheme.
  • UseHTTPOnlyCookies ACO parameter is set to YES
  • Can not use server side technology like  ASP/JSP/ASPX etc. Can only use login.fcc for login form.


Environment

Web Agent : 12.0 and aboveOS : ANY

Resolution

1. Let's create two copies of the OOTB login.fcc and rename them as login5.fcc & login10.fcc.

 

2. Create two HTML FORM authentication scheme one using login5.fcc with Protection Level 5 and other using login10.fcc with Protection Level 10.

<Please see attached file for image>

class="image-1 jive-image" style="font-weight: inherit; font-style: inherit; font-family: inherit;" src="https://communities.ca.com/servlet/JiveServlet/downloadImage/38-5556-103227/pastedImage_2.png" alt="" width="845" height="714">

 

<Please see attached file for image>

class="image-2 jive-image" style="font-weight: inherit; font-style: inherit; font-family: inherit;" src="https://communities.ca.com/servlet/JiveServlet/downloadImage/38-5556-103228/pastedImage_3.png" alt="" width="846" height="745">

3. Protect two resource say /html/ with login5.fcc auth scheme and /html10/ with login10.fcc to simulate step up authentication scenario.

 

5. Now , the trick is to add following line in the login5.fcc to instruct Web Agent to save the value in the "USER" form field as cookie 

@save=USER

 

(Note : If you need to save multiple form fields, you can specify name of the form field as colon separated list like @save=USER:TARGET )

 

So, after adding this line the login5.fcc looks like this at top 

<!-- SiteMinder Encoding=UTF-8; -->
@username=%USER%
@smretries=0
@save=USER

<html>

 

6. Next, modify the login10.fcc to pre-fill the USER form field by reading the cookie set earlier like this :

 

<td ALIGN="LEFT" > 
<b><font size=-1 face="arial,helvetica" > Username: </font></b>
</td>
<td ALIGN="LEFT" >
  <input type="text" name="USER" size="30" style="margin-left: 1px" value="$$USER$$">
</td>
<td WIDTH=20 > </td>

 

Now, the most important thing to note here is , this works even when using HTTPOnly cookies as the FCC processing happens on both the server side as well client side. All the variable with the format $$VariableName$$ are replaced on the server side by reading the value from various sources like :

  • The headers named in the SMHEADERS variable.
  • The directives.
  • The cookies.
  • The posted form data.

 

As you can see above the variable replacement happens on the server side,so it doesn't matter even if the HTTPOnly flag is set on cookies.

 

Attachment:

  • Sample login fcc 
  • Sample fiddler

Additional Information

https://communities.ca.com/community/ca-security/blog/2016/11/17/tech-tip-ca-single-sign-on-web-agent-pre-fill-username-during-step-up-authentication

Attachments

1558708715670000009885_sktwi1f5rjvs16r6o.png get_app
1558708713478000009885_sktwi1f5rjvs16r6n.png get_app
1558534183065TEC1030902.zip get_app
Powered by Wolken Software