Configure Forms Credential Collectors for Forms Authentication

sm1252sp1
Perform the following procedures to configure the Forms Credential Collector components of any agent that secures resources that are protected by an HTML Forms authentication scheme.
  1. Configure a MIME type mapping for the FCC if you are using an IIS web server or a Domino web server.
    The agent configuration wizard automatically sets up the proper MIME types that
    CA Single Sign-On
    credential collectors use for the following types of web servers:
    • Apache and Apache-based web servers.
    • Oracle iPlanet web servers.
  2. Map your agent identities and web servers for use by FCCs.
  3. Configure the following additional settings, as required:
    • Enable FCCs and SCCs to use Agent Names as fully qualified host names.
    • Configure the FCC to use a single resource target.
    • Use a relative target for credential collector redirects.
    • Define valid target domains.
    • Define valid federation target domains.
Configure a MIME Type Mapping for the Credential Collectors on IIS and Domino Web Servers
On IIS and Domino web servers, specify the FCCExt and SFCCExt agent configuration parameters to configure MIME type mappings for the FCC and SFCC in your Web Agent configuration. The MIME type mapping is represented as a file extension. We recommend using the default values.
  • FCCExt
    Specifies a MIME type mapping for the Forms Credential Collector (FCC).
    Default
    : .fcc
    Limits
    : A valid file extension.
    Example
    : .myfcc
  • SFCCExt
    Specifies a MIME type mapping for the SSL Forms Credential Collector (SFCC).
    Default
    : .sfcc
    Limits
    : A valid file extension.
    Example
    : .mysfcc
If you do not want to use the default extension or the default is already in use, enter the extensions that you want instead. For example, if you set FCCExt to .myfcc for the FCC, and rename the FCC template to use this extension (such as login.myfcc), the agent recognizes URLs ending in .myfcc as HTML Forms authentication requests.
Enable FCCs and SCCs to Use Agent Names as Fully Qualified Host Names
To enable the forms and SSL credential collectors to use the fully qualified host name of the target URL as an Agent name, define the AgentNamesAreFQHostNamesconfiguration parameter.
For example, if the AgentNamesAreFQHostNames parameter is set to Yes, the www.nete.com portion of the following URL string serves as the Web Agent name:
url?A=1&Target=http://www.nete.com/index.html
The credential collector uses this parameter in the following situations:
  • If no Agent name is appended to the URL from the target agent. (Sometimes the case with third-party agents.)
  • You have not configured agent-to-host name mappings in the AgentName parameter.
If the AgentNamesAreFQHostNames parameter is set to No, the credential collector uses the value of the DefaultAgentName parameter as the name of the target Web Agent.
Configure the FCC to Use a Single Resource Target
To configure the FCC to direct users to a single resource, hard-code the target in the login.fcc template file.
Follow these steps:
  1. Open the login.fcc file, which is located in
    agent_home
    /Samples.
  2. Add @target=
    target_resource
    to the FCC.
  3. Add the following entry:
    @smagentname=
    agent_name_protecting_resource
    For example: @smagentname=mywebagent
  4. Set the EncryptAgentName parameter to no. This parameter is required because no method exists to encrypt the agent name after you hard code it in the file.
  5. Set the EncryptAgentName to nofor any other agent using this FCC.
Use a Relative Target for Credential Collector Redirects
Optionally, instruct an agent to use a relative URI instead of a fully qualified URL when directing requests to a credential collector and target resource. Using a relative URI prevents credential collectors on other systems with Web Agents from processing requests.
This setting applies to all credential collectors
except
the cookie credential collector (CCC). The CCC must use a fully-qualified domain name for this parameter. Configured responses will not work properly with a CCC if a relative URI is used.
Typically, a fully qualified URL is appended to the credential collector URL. For example:
url?A=1&Target=http://www.nete.com/index.html.
To use only a relative URI, set the TargetAsRelativeURI parameter to yes. If set to yes, the target parameter that is appended to the credential collector URL is a relative target, such as url?A=1&Target=/index.html. In turn, when the credential collector redirects back to the Web Agent protecting the target resource, it is a relative redirect. Also, the Web Agent rejects any target that does not begin with a forward slash (/).
The default value for this parameter is no, so a fully qualified URL is always used.
Define Valid Target Domains
To configure 
CA Single Sign-On
 Agents to help protect your resources from phishing attempts that could redirect users to a hostile website, set the following configuration parameter:
ValidTargetDomain
Specifies the domains to which a credential collector is allowed to redirect users. If the domain in the URL does not match the domains set in this parameter, the redirect is denied.
Default:
 No.
All advanced authentication schemes, including forms credential collectors (FCCs) support this parameter.
The ValidTargetDomain parameter identifies the valid domains for the target during processing. Before the user is redirected, the agent compares the values in the redirect URL against the domains in this parameter. Without this parameter, the agent redirects the user to targets in any domain.
The ValidTargetDomain parameter can include multiple values, one for each valid domain.
For local Web Agent configurations, specify an entry, one entry per line, for each domain, for example:
validtargetdomain=".xyzcompany.com"
validtargetdomain=".abccompany.com"
Define Valid Federation Target Domains
Users can be redirected to a malicious web site when they are using the Identity Provider Discovery (IPD) profile for SAML 2.0 transactions or the wreply URL for WS-Federation transactions. To prevent such a redirection, configure the ValidFedTargetDomain parameter in Web Agent.
The functionality of the ValidFedTargetDomain parameter differs in for SAML 2.0 and WS-Federation.
ValidFedTargetDomain for SAML 2.0
The ValidFedTargetDomain parameter lists all valid domains for your federated environment when implementing Identity Provider Discovery.
When the IPD Service receives a request, it examines the IPDTarget query parameter in the request. The IPDTarget defines a URL where the Discovery Service must redirect the browser to after it processes the request. For an IdP, the IPDTarget is the SAML 2.0 Single Sign-on service. For an SP, the target is the requesting application that wants to use the common domain cookie.
Federation Web Services compares the domain of the IPDTarget URL to the list of domains specified for the ValidFedTargetDomain parameter. If the URL domain matches one of the configured domains in the ValidFedTargetDomain list, the IPD Service redirects the user to the IPDTarget URL at the SP.
If there is no domain match, the IPD Service rejects the user request with a 403 Forbidden error message. The errors are reported in the FWS trace log and the affwebservices log.
If you do not configure the parameter, no validation is done and the user is redirected to the target URL. If you are modifying a local configuration file, list the domains separately. For example:
validfedtargetdomain=".examplesite.com"
validfedtargetdomain=".abccompany.com"
ValidFedTargetDomain for WS-Federation
The ValidFedTargetDomain parameter lists all valid domains for your federated environment that the wreply URL must use for verification to ensure that the redirection is secure. 
Federation Web Services compares the domain of the wreply URL to the list of domains specified for the ValidFedTargetDomain parameter. If the URL domain matches one of the configured domains in the list, the Federation Web Services redirects the user to the wreply URL at the RP.
If there is no domain match, the Federation Web Services rejects the user request with a 400 bad request error message. The errors are reported in the FWS trace log and the affwebservices log.
If you do not configure the parameter, no validation is done and the user is redirected to the target URL. If you are modifying a local configuration file, list the domains separately. For example:
validfedtargetdomain=".examplesite.com"
validfedtargetdomain=".abccompany.com"