SSOZoneName: Loop expired session in Web Agent Option Pack
search cancel

SSOZoneName: Loop expired session in Web Agent Option Pack

book

Article ID: 131888

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign On Federation (SiteMinder) CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

When running IdP (Identity Provider) and SP (Service Provider) on different machines but with the same Domain Name. The cookies get segregated using the SSOZoneName ACO parameter.

Once the SP session terminates, both IDP SMSESSION and SP MY_SESSION cookies gets the value of LOGGEDOFF. The SP MY_SESSION cookie gets removed from the browser.

But the SMSESSION cookie doesn't.

As the SMSESSION cookie reaches into the IDP Web Agent Option Pack, the transaction fails and the IDP Web Agent Option Pack reports not to be able to decode the SMSESSION cookie.

[04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-3e7b55c0-64f7c1f9-b6b][FWSBase.java][getSessionData][(request cookie array) cookie value: LOGGEDOFF]
[04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-3e7b55c0-64f7c1f9-b6b][FWSBase.java][getSessionData][evaluate trusted zone: SM]
[04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-3e7b55c0-64f7c1f9-b6b][FWSBase.java][getSessionData][found: SMSESSION]
[04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-3e7b55c0-64f7c1f9-b6b][FWSBase.java][isValidSession][Trying to validate using SMSESSION cookie.]
[04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-3e7b55c0-64f7c1f9-b6b][FWSBase.java][isValidSession][Could not decryptSMSESSION cookie. Error message: Tried out all the decrypt keys, decryption failed..]

Cause

 

The problem is that the SMSESSION=LOGGEDOFF cookie reaches into the Web Agent Option Pack at IdP side and that there's no Web Agent to handle this SMSESSION=LOGGEDOFF and to remove it from the browser.

The Web Agent only handles the MY_ cookie. It's configured with SSOZoneName=MY_.

More, out of the box, the Web Agent Option Pack doesn't remove any cookies from the browser. The aftermath is that the SMSESSION=LOGGEDOFF arrives to the IDP Web Agent Option Pack and this one cannot handle the value LOGGEDOFF.

The IDP Web Agent Option Pack is configured to trust SM and MY_cookies:

affwebserv.log 

[246584/148340][Thu Apr 04 2019 16:53:35][FWSAgentConfig.java][INFO][sm-FedClient-00190] SSOZoneName not specified. Using default: SM 
[246584/148340][Thu Apr 04 2019 16:53:35][FWSAgentConfig.java][INFO][sm-FedClient-00200] SSOTrustedZone specified as: [SM, MY_]

but its Web Agent is configured to handle only MY_ cookie:

webagent.log:

[47970/3387586304][Thu Apr 04 2019 17:34:23] ssozonename='MY_'.

The Web Agent on the SP Side is configured to handle the same cookie as per IDP: 

The SP: 

webagent.log 

[111815/4064990976][Thu Apr 04 2019 18:56:28] ssozonename='MY_'.

The MY_SESSION is expired, get logged out, and removed from the browser by the Web Agent: 

webagenttrace.log:

[04/05/2019][14:30:03][28807][578766592][CSmHttpPlugin.cpp:6768] [CSmHttpPlugin::ProcessSessionCookie][00000000000000000000000046ad2ea0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent][/affwebservices/public/saml2sso?SPID=mysp][][MY_SESSION cookie has expired and will not be used to authenticate.] 
[04/05/2019][14:30:03][28807][578766592][CSmHttpPlugin.cpp:2228][CSmHttpPlugin::EstablishSession][00000000000000000000000046ad2ea0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent][/affwebservices/public/saml2sso?SPID=mysp][Unable to process MY_SESSION cookie.]
[04/05/2019][14:30:03][28807][578766592][CSmHttpPlugin.cpp:2322][CSmHttpPlugin::EstablishSession][00000000000000000000000046ad2ea0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent][/affwebservices/public/saml2sso?SPID=mysp [Executing expired cookie redirect.] 
[04/05/2019][14:30:03][28807][578766592][CSmSessionManager.cpp:126][CSmSessionManager::EstablishSession][00000000000000000000000046ad2ea0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][myagent][/affwebservices/public/saml2sso?SPID=mysp][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.] 
[04/05/2019][14:30:03][28807][578766592][CSmLowLevelAgent.cpp:3402][LogoutSession][00000000000000000000000046ad2ea0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent][/affwebservices/public/saml2sso?SPID=mysp][Calling LogoutSession for session '+9HDjvKRwdasdasdC4hsC4+4d4='.] 
[04/05/2019][14:30:03][28807][578766592][CSmLowLevelAgent.cpp:4495][LogoutSession][][][][][][][Session logged out.] 
[04/05/2019][14:30:03][28807][578766592][SmPluginUtilities.cpp:166][DeleteCookie][00000000000000000000000046ad2ea0-7087-5ca74a4b-227f4700-600a7e0a2f8c][*10.0.0.1][][myagent][/auth/?SPID=mysp&SMPORTALURL=https%3A%2F%2F_host.example.com%2Faffwebservices%2Fpublic%2Fsaml2sso%3FSPID%3Dmysp%2Faffwebservices%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONID=12fa375e-12fcb6cd-59b4b47b-9020fbcf-3630f2e0-eec][][Deleted cookie 'MY_SESSION'.]

But as the Web Agent is configured to handle the MY_ session cookie, then the SMSESSION cookie never gets removed from the browser. The IDP Web Agent Option Pack then is unable to decode the SMSESSION value and the transaction fails. The user doesn't get redirected to the login page.  

When replaying the issue, and at the time the problem occurs, remove the SMSESSION=LOGGEDOFF cookie from the browser memory, then the browser will be able to follow the flow again.

 

Resolution

 

Use 2 different Web Agents having different ACO's and different SSOZoneName values to solve the issue.

Customization of the Apache Server to remove the SMSESSION=LOGGEDOFF cookie from the browser can also work. 

 

Powered by Wolken Software