How to Pre-fill username during step up authentication

Document ID : KB000009885
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

In this guide we will see how to pre-fill the username field during second challenge in step up authentication.

 

Conditions:

  • Both low level and high level authentication scheme is using HTML Form Authentication scheme.
  • UseHTTPOnlyCookies ACO parameter is set to YES
  • Can not use server side technology like  ASP/JSP/ASPX etc. Can only use login.fcc for login form.
Environment:
Web Agent : 12.0 and aboveOS : ANY
Instructions:

1. Let's create two copies of the OOTB login.fcc and rename them as login5.fcc & login10.fcc.

 

2. Create two HTML FORM authentication scheme one using login5.fcc with Protection Level 5 and other using login10.fcc with Protection Level 10.

 

3. Protect two resource say /html/ with login5.fcc auth scheme and /html10/ with login10.fcc to simulate step up authentication scenario.

 

5. Now , the trick is to add following line in the login5.fcc to instruct Web Agent to save the value in the "USER" form field as cookie 

@save=USER

 

(Note : If you need to save multiple form fields, you can specify name of the form field as colon separated list like @save=USER:TARGET )

 

So, after adding this line the login5.fcc looks like this at top 

<!-- SiteMinder Encoding=UTF-8; -->
@username=%USER%
@smretries=0
@save=USER

<html>

 

6. Next, modify the login10.fcc to pre-fill the USER form field by reading the cookie set earlier like this :

 

<td ALIGN="LEFT" > 
<b><font size=-1 face="arial,helvetica" > Username: </font></b>
</td>
<td ALIGN="LEFT" >
  <input type="text" name="USER" size="30" style="margin-left: 1px" value="$$USER$$">
</td>
<td WIDTH=20 > </td>

 

Now, the most important thing to note here is , this works even when using HTTPOnly cookies as the FCC processing happens on both the server side as well client side. All the variable with the format $$VariableName$$ are replaced on the server side by reading the value from various sources like :

  • The headers named in the SMHEADERS variable.
  • The directives.
  • The cookies.
  • The posted form data.

 

As you can see above the variable replacement happens on the server side,so it doesn't matter even if the HTTPOnly flag is set on cookies.

 

Attachment:

  • Sample login fcc 
  • Sample fiddler
Additional Information:

https://communities.ca.com/community/ca-security/blog/2016/11/17/tech-tip-ca-single-sign-on-web-agent-pre-fill-username-during-step-up-authentication

File Attachments:
TEC1030902.zip