Identity and Access Management: SiteMinder - Forms Credential Collector (FCC)

Tuesday, June 12, 2007

SiteMinder - Forms Credential Collector (FCC)

SiteMinder credential collector is an application within the Web agent that gathers specific user credentials to authenticate a user. The credentials gathered by the credential collector are based on the type of authentication scheme configured for a particular group of protected resources. For forms-based authentication, credentials are collected by the Forms Credential Collector (FCC) process. The default extension for FCC files is (naturally enough) 'FCC'. The FCC process files are composed in a simple mark-up language that includes HTML and some custom notation. This file contains the custom form definition and additional information that the FCC uses to process HTML forms-based authentication. The FCC extracts credentials that a user enters in the custom form generated from the FCC file. For example, the Web agent is installed with a form called login.fcc, which we can customize and use for login purposes.

SiteMinder displays the contents of the .unauth file to users who exceed the maximum number of failed authentication attempts specified by the authentication scheme. One .unauth file should exist for each FCC file. For example, if you have a login.fcc file on a Web server, you should also have a login.unauth file in the same location. If a smerrorpage variable has been defined in the FCC file, the .unauth file is not required.

FCC attribute name/value pairs:

Smenc - contains information that tells the browser what language encoding to use.
smlocale - is the language used in the HTML forms that collect user information or display status messages.
Username - is the name to use as the login user name.
password - is the password to use to perform the login.
target - is the resource to access after login.
smauthreason - is the reason code associated with a login failure.
smusrmsg - contains the text that describes why the user was challenged or failed to login.
Smagentname - is the agent name used for logging the user in.
postpreservationdata - is the data that a user submits through a post request.
smerrorpage - is the page to which the user's browser will be redirected if there is an error on a post to the custom form.
smretries - defines the maximum number of allowed failures when attempting to login.

18 comments:

Anonymous said...: Hi Ashok,
Can u plz tell me why some time SMAUTHREASON and Sometimes SM_AUTHREASON is passed in the headers information.
In our dev we are getting SM_AUTHREASON and in stg we are getting SMAUTHREASON; June 20, 2007 at 7:40 AM
Ashok said...: Hi,

This depends on the "LegacyVariables" in your Policy server's "Agent Configuration Object" and Web Servers.

LegacyVariables parameter is not supported for WebAgents on IIS 6.0 web servers.For Web Agent IIS 6.0 SMAUTHREASON is the correct header.

If the "LegacyVariables" is set to YES, then the header should be SM_AUTHREASON.

If the "LegacyVariables" is set to NO, then the header should be SMAUTHREASON.

regards,
Ashok.; June 21, 2007 at 8:28 AM
Anonymous said...: Thaks Ashok..Appriciated
could plz through some light on how to use cert based authentication in siteminder..; June 21, 2007 at 8:50 AM
Anonymous said...: Ashok,

A very descriptive step-by-step explanation for setting up impersonation.

I have a question though...

The access roles are created using Identity Minder. If the customer has Sun IDM, will the roles be available for viewing ?

What is the impact of this change on this implementation plan ?

/Regards
Kanwaljit; October 15, 2007 at 10:42 PM
Anonymous said...: If I want the user maximum login 5 times, then user will be locked, how can I configure that? Will the smretries=5 lock the user?; August 12, 2008 at 9:56 AM
Anonymous said...: Hi,

I am trying use webservice of my application which is siteminder protected. How to pass/set user name and password in XMLHTTP GET method?

Your help is appreciated

Malar; December 22, 2008 at 6:56 AM
Anonymous said...: Hi Ashok ,
can you please let me know , what is new in Sitminder 6.0 r1 to sitminder ver 5.5?

Thanks
Amit Kumar sinha
Wipro; April 28, 2009 at 4:23 AM
Ashok said...: Hi Amit,
As of today, "Siteminder r12 SP1 CR2" is the latest version of Siteminder from CA. Information about the fixes and additional functionality from the previous versions are available in the "release notes" or "Readme" file of the next version.

Please visit https://support.ca.com for more information.
Thanks.; May 1, 2009 at 9:54 PM
Sreekanth said...: This comment has been removed by the author.; August 12, 2009 at 10:00 AM
Sreekanth said...: Hi Amit,
As of today, "Siteminder r12 SP1 CR5 Build -630" is the latest version of Siteminder from CA. And also upcoming SP2 is on way with lot any bunch of updated futures and TRT's

Iam SPQA from CA Inc
Thanks.; August 12, 2009 at 10:03 AM
Unknown said...: Hi Ashok,

Can I know the Identity Manager r12 work flow management and provisioning knowledge base.

Thanks in Advance

Iyappan.K

iyappsk@gmail.com
9003044016; November 3, 2010 at 10:25 PM
zia said...: Hi,

My aim is to use smusrmsg as errors to display during login process. Can someone please help how to go about using smusrmsg. I am not able to get the smusrmsg variable either in session or request parameter.

Please help; February 14, 2013 at 8:37 PM
Debz said...: Hi.
I am trying to capture SMUSRMSG and display on screen using my custom_login.fcc page.
I find the value in below encrypted form-
6qr1kT3bT8LWHrajlJvUuwAAAAEAAAPrAAAAIAAAAAA=

Shall I expect the cookie in the above form or in plain text? If encrypted, how do I decode it? Please correct me if I am being wrong.; February 3, 2016 at 6:20 AM
Anonymous said...: Good morning, our developer quit and I know nothing about siteminder. I am trying to just change the text in a banner. I edited the banner in vi, but when I save it and refresh the page, nothing changes. Do .fcc files have to be compiled or something? Thank you.; July 6, 2016 at 8:51 AM
Ashok said...: Webserver(IIS/Apache) needs to be bounced. It does not need any compilation and you can treat .fcc file as an regular .htnl file.; July 6, 2016 at 8:58 AM
Sreekanth said...: Hey Ashok, you are Rocking man !!!
Good to see you :)

@All Ashok has a huge knowledge on CA Sm/IDM, i worked with him closely and found how potential he is on the technology side, every get a great help from him.; July 6, 2016 at 9:23 AM
Canadian Immigration said...: Hi Ashok,
I have a question reg the FCC page . Does the page render data-localize . We have content that needs to be changed as per user selection .the content is in JSON format .
Please suggest; September 22, 2017 at 4:33 PM
Ashok said...: Hi Ram,

Yes, Fcc is also a HTML file with few additional siteminder related tags. You can develop your html page with the supported scripts and change the extension to Fcc with required additional tags which should work.

I am not sure whether json is going to work in the html or not.

As an alternate option, you can have your own jsp or asp login page with required customizations and post the credentials to teh login.Fcc as per below article.

https://support.ca.com/us/knowledge-base-articles.TEC1257032.html

https://communities.ca.com/thread/241737399

Regards
Ashok; September 22, 2017 at 7:26 PM