SDK created SESSION cookies in zone other than SM
search cancel

SDK created SESSION cookies in zone other than SM


Article ID: 191502


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER


We're running a Custom SDK Agent and we'd like to know how this Custom

SDK Agent can produce a session cookie with the name XYZ, which will
be accepted by other Web Agents ?

In our environment, if we change the zone the cookie is saved in, say
to XYZSESSION, any regular Web Agent will reject the cookie saying
there is a zone mismatch XYZ != SM.

How can we fix that ?


Web Agent 12.52SP1CR09 on Apache 2.4 on RedHat 6;


At first glance, you have to code the application to set and retrieve

the cookie name. As such, you can follow the guide lines from this
KD :

  We want to use the SDK to create cookies under different SSO
  Zones. How can we configure the AgentAPI to feed it SSOZoneName="Z1"
  so that it can be used to create a valid Z1SESSION cookie?

In order to make the other Web Agents to accept the specific cookie
created by the Custom SDK Agent, you have to enable in their ACO the
following parameters :


  Set up Security Zones

    You configure SSO security zones using two Agent Configuration
    Object (ACO) parameters:

      SSOZoneName Identifies an Agent's local zone by assigning it a
      name. The default name is "SM."

      SSOTrustedZone Lists zone names that an agent trusts.

    A single Web Agent instance supports only one local SSO zone, which
    you identify using the SSOZoneName parameter. An Agent implicitly
    trusts its local zone. Multiple zones cannot be named using the
    same Agent instance.

For SDK Agent, you'll find the description of the function that set it
here :


     int SM_EXTERN Sm_AgentApi_CreateSSOToken (
 const void*                      pHandle,
 Sm_AgentApi_Session_t*           pSession,
 long                             nNumAttributes,
 Sm_AgentApi_Attribute_t*         pTokenAttributes,
 long*                            pNumSSOTokenLength, 
 char*                            lpszSSOToken

     pToken Attributes

     SM_AGENTAPI_ATTR_SSOZONE The designation of the SSO zone name. If
     you do not specify a zone name, the default is "SM." This value
     is in the attribute list that is returned by the
     Sm_AgentApi_DecodeSSOToken method. Any other attribute is