WAOP and SSOZoneName: Loop with expired session

book

Article ID: 131888

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We're running IdP and SP on different machines but with the same
Domain Name. We segregate the cookies using SSOZoneName ACO
parameter. Once the SP session terminates, both IDP SMSESSION and SP
MY_SESSION cookies gets the value of LOGGEDOFF. The SP MY_SESSION
cookie gets removed from the browser. But the SMSESSION cookie
doesn't.

As the SMSESSION cookie reaches the IDP Web Agent Option Pack, the
transaction fails and the IDP Web Agent Option Pack reports not to be
able to decode the SMSESSION cookie.

  [04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
  3e7b55c0-64f7c1f9-b6b][FWSBase.java][getSessionData][(request 
  cookie array) cookie value: LOGGEDOFF]

  [04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
  3e7b55c0-64f7c1f9-b6b][FWSBase.java][getSessionData][evaluate
  trusted zone: SM]

  [04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
  3e7b55c0-64f7c1f9-b6b][FWSBase.java][getSessionData][found:
  SMSESSION]

  [04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
  3e7b55c0-64f7c1f9-b6b][FWSBase.java][isValidSession][Trying
  to validate using SMSESSION cookie.]

  [04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
  3e7b55c0-64f7c1f9-b6b][FWSBase.java][isValidSession][Could
  not decryptSMSESSION cookie. Error message: Tried out all the decrypt
  keys, decryption failed..]

How can we fix that ?

Cause

The problem is that the SMSESSION=LOGGEDOFF cookie reaches the Web
Agent Option Pack at IDP side and that there's no Web Agent to handle
this SMSESSION=LOGGEDOFF and to remove it from the browser. The Web
Agent only handle the MY_ cookie. It's configured with
SSOZoneName=MY_. More, out of the box, the Web Agent Option Pack
doesn't remove any cookies from the browser. The aftermath is that the
SMSESSION=LOGGEDOFF arrives to the IDP Web Agent Option Pack and this
one cannot handle the value LOGGEDOFF.

The IDP Web Agent Option Pack is configured to trust SM and MY_
cookies :

affwebserv.log 

  [246584/148340][Thu Apr 04 2019 
  16:53:35][FWSAgentConfig.java][INFO][sm-FedClient-00190] SSOZoneName 
  not specified. Using default: SM 

  [246584/148340][Thu Apr 04 2019 
  16:53:35][FWSAgentConfig.java][INFO][sm-FedClient-00200] 
  SSOTrustedZone specified as: [SM, MY_] 

but its Web Agent is configured to handle only MY_ cookie  :

siteminder_ltintra302.log.1 

  [47970/3387586304][Thu Apr 04 2019 17:34:23] ssozonename='MY_'. 

The Web Agent on the SP Side is configured to handle the same cookie 
as per IDP : 

The SP : 

siteminder_ltintra305.log.1 

  [111815/4064990976][Thu Apr 04 2019 18:56:28] ssozonename='MY_'. 

The MY_SESSION is expired, get logged out, and removed from the 
browser by the Web Agent : 

smtrace_ltintra302.log.1 

  [04/05/2019][14:30:03][28807][578766592][CSmHttpPlugin.cpp:6768] 
  [CSmHttpPlugin::ProcessSessionCookie][00000000000000000000000046 
  ad2ea0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent]
  [/affwebservices/public/saml2sso?SPID=mysp][][MY_SESSION 
  cookie has expired and will not be used to authenticate.] 

  [04/05/2019][14:30:03][28807][578766592][CSmHttpPlugin.cpp:2228]
  [CSmHttpPlugin::EstablishSession][00000000000000000000000046ad2e
  a0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent]
  [/affwebservices/public/saml2sso?SPID=mysp][Unable to process
  MY_SESSION cookie.]

  [04/05/2019][14:30:03][28807][578766592][CSmHttpPlugin.cpp:2322] 
  [CSmHttpPlugin::EstablishSession][00000000000000000000000046ad2e 
  a0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent]
  [/affwebservices/public/saml2sso?SPID=mysp
  [Executing expired cookie redirect.] 

  [04/05/2019][14:30:03][28807][578766592][CSmSessionManager.cpp:1 
  26][CSmSessionManager::EstablishSession][00000000000000000000000 
  046ad2ea0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1]
  [myagent][/affwebservices/public/saml2sso?SPID=mysp]
  [SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.] 

  [04/05/2019][14:30:03][28807][578766592][CSmLowLevelAgent.cpp:34 
  02][LogoutSession][00000000000000000000000046ad2ea0-7087-5ca74a4 
  b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent]
  [/affwebservices/public/saml2sso?SPID=mysp]
  [Calling LogoutSession for session '+9HDjvKRwdasdasdC4hsC4+4d4='.] 

  [04/05/2019][14:30:03][28807][578766592][CSmLowLevelAgent.cpp:44 
  95][LogoutSession][][][][][][][Session logged out.] 

  [04/05/2019][14:30:03][28807][578766592][SmPluginUtilities.cpp:1
  66][DeleteCookie][00000000000000000000000046ad2ea0-7087-5ca74a4b
  -227f4700-600a7e0a2f8c][*10.0.0.1][][myagent]
  [/auth/?SPID=mysp&SMPORTALURL=https%3A%2F%2Fmyotherwebagent.domai
  n.com%2Faffwebservices%2Fpublic%2Fsaml2sso%3FSPID%3Dmysp%2Faffweb
  services%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONID=12fa375e-12fcb6cd-
  59b4b47b-9020fbcf-3630f2e0-eec][][Deleted cookie 'MY_SESSION'.]

but as the Web Agent is configured to handle the MY_ session cookie,
then the SMSESSION cookie never gets removed from the browser. The IDP
Web Agent Option Pack then is unable to decode the SMSESSION value and
the transaction fails. User doesn't get redirected to the login page.

If you replay the issue, and at time you get the problem, you go in
the memory of the browser and you remove the SMSESSION=LOGGEDOFF
cookie, then you will be in the flow again.
 

Environment

Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:

Resolution

Use 2 different Web Agents having different ACO's and different
SSOZoneName values to solve the issue.

You might also customize the Apache Server to remove the SMSESSION=LOGGEDOFF 
cookie from the browser.