How to Allow the NTC to Encode URLs During Redirects to Protected Resources

Contents
sm1252sp1
Contents
CA Single Sign-On
can protect resources using Windows credential collectors (NTCs). Users submit their credentials to the NTC, then the NTC logs the user in to the IIS web server. The IIS web server authenticates the user. The NTC redirects the user to the protected (TARGET) resource after authentication.
The NTC normally encodes the characters in the TARGET portion of the URL during the request, but not during the redirect after authentication. You can change your agent configuration so that the TARGET portion of the URL is encoded during the redirect. The following illustration describes this behavior:
NTC redirect with unencoded target URL
NTC redirect with unencoded target URL
 
The following illustration shows the process of allowing the NTC to encode URLs during requests for protected resources:
Allow the NTC redirect with target URL
Allow the NTC redirect with target URL
 
To allow the NTC to encode URLs during re–directs to protected resources, follow these steps:
  1. Choose the procedure that matches your agent configuration method from the following list:
  2. For agents using local configuration, repeat Step 1c for each web server.
    The NTC uses encoded URLs during redirects to protected resources.
Open the Administrative UI to Change Policy Server Objects
sm1252sp1
Change the objects on your Policy Server by opening the Administrative UI.
Follow these steps:
  1. Open the following URL in a browser.
    https://
    host_name
    :8443/iam/siteminder/adminui
    • host_name
      Specifies the fully qualified Administrative UI host system name.
  2. Enter your  super user name in the User Name field.
  3. Enter the super user account password in the Password field.
    If your super user account password contains dollar-sign ($) characters, replace each instance of the dollar-sign character with $DOLLAR$. For example, if the super user account password is $password, enter
    $DOLLAR$password
    in the Password field.
  4. Verify that the proper server name or IP address appears in the Server drop-down list.
  5. Select Log In.
Modify the DisableI18N parameter in the Agent Configuration Object
The Windows credential collectors can process HTTP-encoded characters in target URLs for centrally configured web agents. Modify specific web agents parameters in an Agent Configuration object to enable this feature.
Follow these steps:
  1. Click the Infrastructure, Agent Configuration Objects.
  2. Click the Edit icon for the Agent Configuration Object you want.
  3. Click the Edit icon to the left of the 
    DisableI18N
     parameter and change the value to 
    yes
    .
  4. Click OK.
  5. Click the Edit icon to the left of the 
    BadUrlChars
     parameter.
  6. Remove the value 
    ,%25
     from the Value field and click OK.
  7. Click Submit.
  8. (Optional) Enter any remarks about the change in the Comment field then click Yes.
Your changes are applied the next time the Web Agent polls the Policy Server.
Modify the DisableI18N parameter in the LocalConfig.conf File
Windows credential collectors can process HTTP-encoded characters in target URLs. Locally configured web agents use configuration parameters in the LocalConfig.conf file to enable this feature.
Follow these steps:
  1. Locate the LocalConfig.conf file on your web server. Use the examples in the following list to locate the file on your type of web server:
    IIS web server : 
    web_agent_home
    \bin\IIS
    Oracle iPlanet web server: 
    Oracle_iPlanet_home
    /https-hostname/config
    Apache web server: 
    Apache_home
    /conf 
  2. Open your LocalConfig.conf file with a text editor.
  3. Locate the 
    DisableI18N
     parameter and change the value to 
    yes
    .
  4. Locate the
     BadUrlChars
     parameter, and remove the value
     ,%25
     from the list.
  5. Save the changes to your LocalConfig.conf file, and then close the text editor.
  6. Repeat Steps 1 through 5 on all web servers which you want to change.
Windows credential collectors are allowed to process HTTP encoded characters in TARGET URLs.