search cancel

SM_UNIVERSALID header unable to pass when loggedin via IWA on dev environment

book

Article ID: 134423

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

We're running a Web Agent and when a user get authenticated by Windows Authentication Scheme, then the header SM_UNIVERSALID doesn't get filled and passed to the application. We noticed this happens on unprotected resource after authentication.

 

How can we fix this ?

Environment

  Policy Server 12.52SP1CR05 2113 on SunOS;

  Web Agent 12.52SP1CR09 2614 on IIS 8.5 64bit on Windows 2012 R2 64bit;

  Web Agent Cookie Provider 12.52SP1CR02 766 64 bit on Apache 2.2.11 on SunOS;

Resolution

In order to get the SM_UNIVERSALID header on unprotected application, you have to set the ACO parameter :

 

PreserveUniversalID = yes

 

1. This parameter has been added in Web Agent 12.52SP1CR08 and it  is documented here :

 

   New ACO Parameter preserveuniversalID

 

     From 12.52 SP1 CR08, you can configure the preserveuniversalid ACO

     parameter to set Universal ID to non-protected resources too when a valid SMSESSION cookie is available.

 

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/release-notes/new-features/policy-server-new-features.html#concept.dita_e0bde2269285bc75a5394859011cc4f6ab538d60_NewACOParameterpreserveuniversalID

   So said, if you don't set it or if you run version before 12.52SP1CR08, you won't be able to get the SM_UNIVERSALID on unprotected resource.

 

   Historically, some Customers reported a security issue when the SM_UNIVERSALID is produced on unprotected page. That's the reason

   why this header has been removed from the processing of the unprotected resource.

 

   Since 12.52SP1CR08, you have the possibility to choose if you want the header on unprotected resource or not. By default (if not set), it is disable and the header will not show up on unprotected resource.

 

2. For a list of recently modified ACO parameter, rely on the release notes and documentation :

 

   Cumulative Releases

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/release-notes/cumulative-releases.html

 

   List of Agent Configuration Parameters

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/web-agent-configuration/list-of-agent-configuration-parameters.html