Application Access after Federated Authentication

book

Article ID: 130993

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Customer has integrated Siteminder/SSO with one of their applications and access is working as expected when users log in internally.  When users authenticate via federation, however, the application is prompting them for credentials.  We are expecting single sign on in this second scenario.  We're not sure if this is caused by the cookies; the set of cookies is slightly different in each use case.

Cause

Application is integrated with Siteminder/SSO via the SM_USER HTTP header.  As this is a default user variable, it is always set for authenticated users.  We placed a header dump page on the web server where the application is hosted so we could examine the header values in each use case.  The working use case had this header set to the username.  The non-working use case had this header set to the user's full DN which the application is obviously not recognizing.

Environment

Release:
Component: SMFSS

Resolution

To avoid adjusting the federation configuration, we simply added a Web Agent HTTP Header Variable response to the policy allowing access to the application.  This overwrote the DN value that was in SM_USER and replaced it with the expected username, allowing access to the application.