Hacking CA SSO (SiteMinder) Password Services Redirects

Password Services Logo

CA SSO Password Service redirects work great if you want to use the default forms that ship with the Web Agent. While modifying the "fcc's" is a potential option, how do you take advantage of your existing password change forms? What about ignoring those pesky Active Directory password redirects?  Let's get hacking. There are a couple of settings you can use with Password Services beyond configuring a Password Policy within the Admin UI. The settings must be obvious, right? Well... Keep reading for the scoop.

Hack 1: Changing the Password Services Redirect When no Password Policy is defined, CA SSO redirects to the default Password Services FCC URL. You can override this behavior by setting the NETE_PWSERVICES_REDIRECT environment variable to the relative URL where you want to redirect the user. While the documentation says the path must be relative, I have successfully set it to a fully qualified redirect URL. Give that a shot, but the official means of setting a full qualified URL is in the Password Policy itself.

Password Policy Image
Password Policy Image

Keep in mind that the environment variable is set on the Policy Server(s) and not the Web Agent server(s).

Bonus: Take a look at the path in the Password Policy. If you ever wanted to exclude users based upon a LDAP attribute, you can use a search expression instead of a specific branch.

Hack 2: Disabling Password Services Redirects By default, CA SSO redirects natively disabled Active Directory users to Password Services, even if Password Services is not enabled for the authentication scheme protecting the resource or a Password Policy is not defined. To disable this behavior, set the IgnoreDefaultRedirectOnADnativeDisabled registry entry on the Policy Server(s). Configure the following registry entry:


: IgnoreDefaultRedirectOnADnativeDisabled


: HKEY_LOCAL_MACHINE/SOFTWARE/Wow6432Node/Netegrity/Siteminder/CurrentVersion/Ds/LDAPProvider


: DWORD (32-bit) Value


: 0 (disabled) or 1 (enabled).


: 0. If the registry key is disabled, the default behavior is in effect.

Registry Entry Image
Registry Entry Image

Have Fun Storming the Castle and let us know if you have any other Password Services tricks.