22.13 Long URL Handling During Authentication

Long URL handling applies to both credential collectors (ECC or DCC) and is a default operation.

22.13.1 About Long URLs and Authentication Handling

Authentication involves redirecting the user's request to a centralized component that performs authentication, known as a Credential Collector. The mechanism used to redirect user from the policy enforcement point (OAM Agent) to the Credential Collector, is a proprietary front channel protocol over HTTP. This protocol currently provides the context of the request and the authentication response on the query string. In situations where the URL of the requested page is larger, the overall context becomes larger and can go beyond the browser's permissible size. This is referred to as Long URL Handling.

By default, the Resource Webgate checks the payload size of the front channel protocol message to determine if it is larger than the coded limit. When long URL handling is explicitly enabled, the limit is ignored and has no impact.

The credential collector determines if the front channel response payload is to be sent as HTTP Post data when:

  • The incoming request indicates that the agent is capable of handling HTTP POST or REDIRECT type of response

  • The credential collector is configured to always send the payload as HTTP post data

  • The credential collector is configured to always send the payload as a query string

If no explicit configuration is present, then if the payload size is greater than predefined limit, then it shall send payload as the HTTP post data. But if the payload size is lower than the predefined limit, then it shall send it on the query string.

Note:

If application post data is also preserved there is no impact.

Table 22-33 identifies Long URL handling functionality with both the ECC and DCC.

Table 22-33 ECC and DCC: Long URL Handling

ECC Long URL Handling DCC Long URL Handling

ECC is compatible with all OAM Webgates.

Same as ECC.

N/A

Long URL handling is limited to the maximum allowed size of the DCCContextCookie.

The DCC does not perform explicit long URL handling.

There is no support to preserve the front channel payload on the form.

22.13.2 Configuration Requirements for Long URL Handling

The following are the Authentication Schemes Supporting Long URL Handling:
  • FORM challenge method, supported with the out of the box login page.

  • WNA

  • Basic

  • Basic+Sessionless

  • X509

  • OIF, OIM, OAAM integrations using TAP

Table 22-34 summarizes the parameters and complete configuration requirements for authentication Long URL handling. All requirements described in Table 22-34 are supported end to end with the specified authentication schemes.

Table 22-34 Parameters Required for Long URL Handling

Parameter Description

ChallengeRedirectMethod

Configure this as either as an Authentication Scheme challenge parameter (or as a user-defined Webgate parameter) for POST-data preservation for both the embedded credential collector (ECC) and the detached credential collector (DCC).

Note: Preference is given first to the Authentication Scheme containing this parameter; second to the Webgate providing this user-defined parameter. Otherwise, default behavior is Dynamic.

Value: GET|POST|DYNAMIC

Behavior when value is:

  • POST: Webgate sends encquery as POST data and credential collectors send encreply as POST data.

  • GET: Webgate sends encquery as query string and expects encreply as query string.

  • DYNAMIC: Default behavior, based on the length of the encquery/encreply. Webgate/credential collector sends data either as a query string or as POST data. Code default maximum length is 2000 characters.

See Also: "Configuring Authentication POST Data Handling"

Table 15-2

ChallengeRedirectMaxMessageBytes

Configure this user-defined Webgate parameter to limit the size of the message data received as obrareq.cgi and obrar.cgi. Message data is comprised of query string length (if present) or POST data length (if POST data is present). If message size exceeds this limit, the message is not processed and the existing message is shown in the browser. The event is logged as usual.

Default: 8192 bytes

Notes:

obrareq.cgi is the authentication request in the form of a query string redirected from Webgate to the credential collector (OAM server or DCC).

obrar.cgi is the authentication response string redirected from the credential collector (OAM server or DCC) to Webgate.

See Also: "Configuring Authentication POST Data Handling"

Table 15-2

serverRequestCacheType

ECC Only

Configure this OAM parameter to define the mechanism used to remember the request context by the embedded credential collector (ECC).

This OAM Server parameter in $DOMAIN_HOME/config/fmwconfig/oam-config.xml indicates mechanism to be used to remember the request context. Possible values are FORM, COOKIE, or CACHE.

Default: COOKIE

FORM is the required value for POST data preservation, Long URL handling and Form-based authentication schemes.

See Also: TempStateMode in this table.

"Configuring Authentication POST Data Handling"

Long URL handling is enabled by default. The Webgate/credential collector sends data either as a query string or a POST. The length of the querystring parameter sent with obrareq.cgi and obrar.cgi is 2000 characters maximum.