How to configure APIM agent to include Client IP in the SSO Token during Authentication
search cancel

How to configure APIM agent to include Client IP in the SSO Token during Authentication

book

Article ID: 116464

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Multiple Web Agents leverage the client IP address to do TransientIPCheck or requiring the client IP but this is failing with API Gateway 9.3 CR3.  The logs seem to indicate there is no IP when the token is generated by the API Gateway. Note: This works fine when we have another CA SSO 12.52 Web Agent (NOT the GW) generate the tokens, when that is done then TransientIP check works fine.

Environment

CA SSO 12.7 OR 12.8 (our DEV only has 12.8)
Web Agents 12.52 SP1
SSO Zones are used by environment.
CA APIM Gateway 9.3 CR3
 
 

Cause

APIM uses SSO SDK to create SSO Token (SMSESSION) because the cookie is created by SDK it is a third-party cookie.  Third party cookies do not contain Client IP “Attribute 208”
 
This will only effect clients that authenticate from APIM Gateway then navigate to CA SSO environment. Also, the CA SSO environment implemented either TransientIPCheck=yes or PersistentIPCheck=yes
 

Resolution

Steps to include Client_IP in the SMSESSION (sso token)
 
SSO Admin UI

  1. Create AgentConfigurationObject (ACO) example: SomeGateway-1_ACO


Add the APIM AgentName and TransientIPCheck=yes

<Please see attached file for image>

ACO
APIM Policy manager:
            Task->Users and Authentication->Manager CA Single Sign-On Configuration

  1. Address: contains IP address (example support used loopback 127.0.0.1)
  2. Must check the box “Check IP”

 

<Please see attached file for image>

User-added image 

Navigate/open to the CA SSO isProtect call in your policy add the Agent Configuration Object name in the ialog box:  (example SomeGateway-1_ACO)

<Please see attached file for image>

User-added image





 

Attachments

1558695243782000116464_sktwi1f5rjvs16i2p.png get_app
1558695242006000116464_sktwi1f5rjvs16i2o.png get_app
1558695240275000116464_sktwi1f5rjvs16i2n.png get_app
Powered by Wolken Software