How to configure APIM agent to include Client IP in the SSO Token during Authentication
search cancel

How to configure APIM agent to include Client IP in the SSO Token during Authentication


Article ID: 116464


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway


Multiple Web Agents leverage the client IP address to do TransientIPCheck or requiring the client IP but this is failing with API Gateway 9.3 CR3.  The logs seem to indicate there is no IP when the token is generated by the API Gateway. Note: This works fine when we have another CA SSO 12.52 Web Agent (NOT the GW) generate the tokens, when that is done then TransientIP check works fine.


CA SSO 12.7 OR 12.8 (our DEV only has 12.8)
Web Agents 12.52 SP1
SSO Zones are used by environment.
CA APIM Gateway 9.3 CR3


APIM uses SSO SDK to create SSO Token (SMSESSION) because the cookie is created by SDK it is a third-party cookie.  Third party cookies do not contain Client IP “Attribute 208”
This will only effect clients that authenticate from APIM Gateway then navigate to CA SSO environment. Also, the CA SSO environment implemented either TransientIPCheck=yes or PersistentIPCheck=yes


Steps to include Client_IP in the SMSESSION (sso token)
SSO Admin UI

  1. Create AgentConfigurationObject (ACO) example: SomeGateway-1_ACO

Add the APIM AgentName and TransientIPCheck=yes

<Please see attached file for image>

APIM Policy manager:
            Task->Users and Authentication->Manager CA Single Sign-On Configuration

  1. Address: contains IP address (example support used loopback
  2. Must check the box “Check IP”


<Please see attached file for image>

User-added image 

Navigate/open to the CA SSO isProtect call in your policy add the Agent Configuration Object name in the ialog box:  (example SomeGateway-1_ACO)

<Please see attached file for image>

User-added image



1558695243782000116464_sktwi1f5rjvs16i2p.png get_app
1558695242006000116464_sktwi1f5rjvs16i2o.png get_app
1558695240275000116464_sktwi1f5rjvs16i2n.png get_app