How to Allow the NTC to Encode URLs During Redirects to Protected Resources
CA Single Sign-Oncan protect resources using Windows credential collectors (NTCs). Users submit their credentials to the NTC, then the NTC logs the user in to the IIS web server. The IIS web server authenticates the user. The NTC redirects the user to the protected (TARGET) resource after authentication.
The NTC normally encodes the characters in the TARGET portion of the URL during the request, but not during the redirect after authentication. You can change your agent configuration so that the TARGET portion of the URL is encoded during the redirect. The following illustration describes this behavior:
The following illustration shows the process of allowing the NTC to encode URLs during requests for protected resources:
To allow the NTC to encode URLs during re–directs to protected resources, follow these steps:
- Choose the procedure that matches your agent configuration method from the following list:
- For agents using an Agent Configuration object (ACO) on a Policy Server, follow these steps:
- For agents using a local configuration file on a web server, follow these steps:
- For agents using local configuration, repeat Step 1c for each web server.The NTC uses encoded URLs during redirects to protected resources.
Open the Administrative UI to Change Policy Server Objects
Change the objects on your Policy Server by opening the Administrative UI.
Follow these steps:
- Open the following URL in a browser.https://host_name:8443/iam/siteminder/adminui
- host_nameSpecifies the fully qualified Administrative UI host system name.
- Enter your super user name in the User Name field.
- Enter the super user account password in the Password field.If your super user account password contains dollar-sign ($) characters, replace each instance of the dollar-sign character with $DOLLAR$. For example, if the super user account password is $password, enter$DOLLAR$passwordin the Password field.
- Verify that the proper server name or IP address appears in the Server drop-down list.
- Select Log In.
Modify the DisableI18N parameter in the Agent Configuration Object
The Windows credential collectors can process HTTP-encoded characters in target URLs for centrally configured web agents. Modify specific web agents parameters in an Agent Configuration object to enable this feature.
Follow these steps:
- Click the Infrastructure, Agent Configuration Objects.
- Click the Edit icon for the Agent Configuration Object you want.
- Click the Edit icon to the left of theDisableI18Nparameter and change the value toyes.
- Click OK.
- Click the Edit icon to the left of theBadUrlCharsparameter.
- Remove the value,%25from the Value field and click OK.
- Click Submit.
- (Optional) Enter any remarks about the change in the Comment field then click Yes.
Your changes are applied the next time the Web Agent polls the Policy Server.
Modify the DisableI18N parameter in the LocalConfig.conf File
Windows credential collectors can process HTTP-encoded characters in target URLs. Locally configured web agents use configuration parameters in the LocalConfig.conf file to enable this feature.
Follow these steps:
- Locate the LocalConfig.conf file on your web server. Use the examples in the following list to locate the file on your type of web server:IIS web server :web_agent_home\bin\IISOracle iPlanet web server:Oracle_iPlanet_home/https-hostname/configApache web server:Apache_home/conf
- Open your LocalConfig.conf file with a text editor.
- Locate theDisableI18Nparameter and change the value toyes.
- Locate theBadUrlCharsparameter, and remove the value,%25from the list.
- Save the changes to your LocalConfig.conf file, and then close the text editor.
- Repeat Steps 1 through 5 on all web servers which you want to change.
Windows credential collectors are allowed to process HTTP encoded characters in TARGET URLs.