CA Single Sign On Secure Proxy Server (SiteMinder)AXIOMATICS POLICY SERVERCA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
We are facing a problem with the web agent in that some applications that depend on SM_USER are complaining that the header is empty even thought the user is already logged in. Our assumption is that if a user is already logged into the application, SM_USER should be set for unprotected resources also. Can you please clarify?
We have a documentation page that goes over why this is happening
Basically, the URI has a domain in it and this triggers the double-dot rule. Which then forces the request to be processed by the agent and policy server. This will ignore the IgnoreExt parameter and set the SM headers for the request.
Example WebAgent Trace logs:
With "domain" in URL, Resource is Processed and HTTP Headers are set: [07/06/2018][08:00:29][CSmHttpPlugin.cpp:656][CSmHttpPlugin::ProcessResource][000000000000000000000000aa0ba20a-03c6-5b3f59dd-3f991880-2deb40b9e870][*220.127.116.11][dummy_apache_agent][Resolved URL: '/testing123.ca.com/splash.jpg'.] [07/06/2018][08:00:29][CSmHttpPlugin.cpp:5849][CSmHttpPlugin::AutoAuthorizedUrl][Unable to auto-authorize resource, double-dot rule in effect.]
If there is no 'domain' in the URI, then the resource is auto-authorized [07/06/2018][07:59:46][CSmHttpPlugin.cpp:656][CSmHttpPlugin::ProcessResource][000000000000000000000000aa0ba20a-0424-5b3f59b2-3f991880-ee655d706253][*18.104.22.168][dummy_apache_agent][Resolved URL: '/testing123/splash.jpg'.] [07/06/2018][07:59:46][CSmHttpPlugin.cpp:5873][CSmHttpPlugin::AutoAuthorizedUrl][Auto-authorizing resource, matches IgnoreExt filter.]
Release: Component: SMPLC
You have two options. Either change the URI path to have a 'domain' in the URI, or remove the extensions from the IgnoreExt parameter that you want to have the SM headers set for.