Credential Collectors

This content introduces Web Agent credential collectors and describes how to associate them with MIME types.
sm1252sp1
This content introduces Web Agent credential collectors and describes how to associate them with MIME types.
Web Agents include credential collector modules that gather specific user credentials to authenticate a user. The credentials that the credential collector gathers are based on the type of authentication scheme that is configured for a particular group of protected resources. Credential collectors are used for forms, SSL, and Windows authentication schemes, and for single sign-on across multiple cookie domains.
Credential Collector Types
The following types credential collectors are available:
Forms Credential Collector (FCC)
Gathers credentials from on HTML forms that are presented to the user during an authentication challenge. The forms that the FCC presents are based on templates that have the file extension .fcc. For example, the Web Agent is installed with a form named login.fcc, which you can customize and use for login purposes. This file is written using standard HTML tags and some proprietary notation that
CA Single Sign-On
requires.
: When using FCC-based authentication, if a form is presented with empty credentials, a framework Web Agent does not process the request and redirects it back to the originally requested URL. This action causes the framework Web Agent to send no communication to the policy server. In the case of a Domino Web Agent, the request is processed and sent to the policy server, which then generates an OnAuthAttempt event.
SSL Credential Collector (SCC)
Collects credentials from SSL-based authentication schemes, such as Basic over SSL or X509 Cert and Basic
: The SCC does not handle X509 Cert and Forms or X509 Cert or Forms. The FCC handles X509 Cert and Forms. The SFCC handles X509 Cert or Forms.
Cookie Provider (CCC)
Tracks
CA Single Sign-On
sessions across multiple cookie domains for single sign-on. Unlike other types of credential collectors, the cookie provider does not collect credentials or perform an authentication challenge of the user. The cookie provider is handling credentials; however, in this case, the session is the credential.
Default
: SmMakeCookie.ccc
NTLM Credential Collector (NTC)
Gathers NT credentials for resources that are stored on an IIS web server and accessed by Internet Explorer browsers. This scheme uses a Windows NT login name and password of a user in place of a challenge for credentials.
SSL Forms Credential Collector (SFCC)
Gathers credentials from HTML forms (like the FCC) but for the X509 Cert or Forms authentication schemes
The forms that the SFCC presents are based on templates that end with the file extension .sfcc. For example, the Web Agent is installed with a form named login.sfcc, which you can customize and use as a login form.
Kerberos Credential Collector (KCC)
Gathers credentials for Kerberos authentication schemes.
Configure MIME Types for Credential Collectors
Each credential collector is associated with a default MIME type. The MIME type determines which collector presents the authentication challenge when a user requests a resource. The following table shows the default MIME types for each collector.
Credential Collector
Default MIME Type
Forms Credential Collector
.fcc
SSL Forms Credential Collector
.sfcc
SSL Credential Collector
.scc
Cookie Provider
.ccc
NTLM Credential Collector
.ntc
Kerberos Credential Collector
.kcc
When you configure an authentication scheme that uses a credential collector, the MIME type is used as the file extension for files that the authentication scheme references. When you set up single sign-on across multiple cookie domains the MIME type is used as the file extension to identify the cookie provider. For example:
  • For Windows authentication, the default target file to enable this scheme is:
    /siteminderagent/ntlm/creds.ntc
  • When configuring single sign-on across multiple cookie domains, enter a URL like the following URL to identify the cookie provider:
    http://myserver.company.com:80/siteminderagent/SmMakeCookie.ccc
    SmMakeCookie.ccc is the default cookie provider name.
The agent configuration wizard automatically configures the default MIME types for each credential collector for use on the following types of web servers:
  • Apache and Apache-based web servers
  • Oracle iPlanet web servers
On IIS and Domino web servers, manually configure the default MIME type for each collector type by specifying the agent configuration parameters in the following table.
Credential Collector
Agent Configuration Parameter
Default Value
Forms Credential Collector
FCCExt
.fcc
SSL Forms Credential Collector
SFCCExt
.sfcc
SSL Credential Collector
SCC
.scc
Cookie Provider
CCCExt
.ccc
NTLM Credential Collector
NTCExt
.ntc
Kerberos Credential Collector
KCCExt
.kcc
: If you cannot use the default MIME type values (for example, because the defaults file extensions are already in use for other purposes on your site) on any web server type, configure alternative extensions and the Web Agent honors them. For example, if you set FCCExt to .myext for the FCC, and rename the FCC template to use this extension, for example, login.myext, the Web Agent recognizes URLs ending in .myext as forms authentication requests.