Requries on Login page

Document ID : KB000097563
Last Modified Date : 29/05/2018
Show Technical Document Details
Question:
We're running a Web Agent, and we'd like to know :

1 - Is there a way to mask the login page, as having 

 https://myserver.mydomain.com/myapp/login

 instead of :

 https://myserver.mydomain.com/myapp/login?TYPE=33554433&REALMOID=06-0001dc6e-bec9-1ae2-be6c-391c9970f051&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-uh4C3ALWNjC2oO6%2b15xYX4wgaVGuync6V%2bQw9kqx9qSJCqH9fIgjRmthAFFLXHi1&TARGET=-SM-https%3a%2f%2fmyserver%2emydomain%2ecom%2fmyapp%2faccess%2f

2 - For the same resource, is it possible to have an 2 authentication,
    depending the origin of the caller, internal or external ?

3 - Can Web Agent provide redirect pages in case of idle timeout and
    max timeout ?
Answer:
1 - You might customize a login page that will POST to the login.fcc :

    Custom Login Page
    https://communities.ca.com/docs/DOC-231150607-custom-login-page

    but the login.fcc page should always be accessible to be
    processed.

    Tech Tip : CA Single Sign-On :: Web Agent::How to restrict user
    from using login.fcc directly
    https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2018/02/14/tech-tip-ca-single-sign-on-web-agenthow-to-restrict-user-from-using-loginfcc-directly

2 - You might check the Global Delivery Module : 

    Authentication Using Login Sequence for CA Single Sign-On

    SiteMinder customers have expressed a desire to have the ability
    to automatically apply different authentication schemes to
    different groups of users; if the user fails to provide correct
    credentials for one authentication mechanism, automatically fail
    over to a different authentication mechanism; or combine multiple
    authentication mechanisms into a sequence that the user must
    successfully pass through to get authenticated.  The Login
    Sequence Authentication (SmLoginSequenceAuth) solution extends the
    functionality of SiteMinder’s standard authentication schemes in
    order to address the above requirements.

    CA Global Delivery Packaged Work Product Download Index
    https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-global-delivery-packaged-work-product-module-index.html?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D#SSO

3 - You might be able to handle idle timeout and max timeout
    redirection with the ACO parameters :

    IdleTimeoutURL
    MaxTimeoutURL
    
    Redirect a User after a Session Time-out
    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/web-agent-configuration/session-protection/redirect-a-user-after-a-session-time-out