ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SM_USER null for Auto-Authorized Resources

book

Article ID: 105874

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We are facing a problem with the web agent in that some applications that depend on SM_USER are complaining that the header is empty even thought the user is already logged in. Our assumption is that if a user is already logged into the application, SM_USER should be set for unprotected resources also. Can you please clarify?

Cause

We have a documentation page that goes over why this is happening 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/user-protection-and-tracking/handle-complex-uris 

Basically, the URI has a domain in it and this triggers the double-dot rule. Which then forces the request to be processed by the agent and policy server. This will ignore the IgnoreExt parameter and set the SM headers for the request. 

Example WebAgent Trace logs:

With "domain" in URL, Resource is Processed and HTTP Headers are set:
[07/06/2018][08:00:29][966][1066997888][CSmHttpPlugin.cpp:656][CSmHttpPlugin::ProcessResource][000000000000000000000000aa0ba20a-03c6-5b3f59dd-3f991880-2deb40b9e870][*138.42.47.153][][dummy_apache_agent][][][Resolved URL: '/testing123.ca.com/splash.jpg'.] 
[07/06/2018][08:00:29][966][1066997888][CSmHttpPlugin.cpp:5849][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][Unable to auto-authorize resource, double-dot rule in effect.] 


If there is no 'domain' in the URI, then the resource is auto-authorized 
[07/06/2018][07:59:46][1060][1066997888][CSmHttpPlugin.cpp:656][CSmHttpPlugin::ProcessResource][000000000000000000000000aa0ba20a-0424-5b3f59b2-3f991880-ee655d706253][*138.42.47.153][][dummy_apache_agent][][][Resolved URL: '/testing123/splash.jpg'.] 
[07/06/2018][07:59:46][1060][1066997888][CSmHttpPlugin.cpp:5873][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][Auto-authorizing resource, matches IgnoreExt filter.] 

 

Environment

Release:
Component: SMPLC

Resolution

You have two options. Either change the URI path to have a 'domain' in the URI, or remove the extensions from the IgnoreExt parameter that you want to have the SM headers set for.