SDK created SESSION cookies in zone other than SM
search cancel

SDK created SESSION cookies in zone other than SM

book

Article ID: 191502

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're running a Custom SDK Agent and we'd like to know how this Custom
SDK Agent can produce a session cookie with the name XYZ, which will
be accepted by other Web Agents ?

In our environment, if we change the zone the cookie is saved in, say
to XYZSESSION, any regular Web Agent will reject the cookie saying
there is a zone mismatch XYZ != SM.

How can we fix that ?

Environment


Web Agent 12.52SP1CR09 on Apache 2.4 on RedHat 6;

Resolution


At first glance, you have to code the application to set and retrieve
the cookie name. As such, you can follow the guide lines from this
KD :

  We want to use the SDK to create cookies under different SSO
  Zones. How can we configure the AgentAPI to feed it SSOZoneName="Z1"
  so that it can be used to create a valid Z1SESSION cookie?

  https://knowledge.broadcom.com/external/article?articleId=51424

In order to make the other Web Agents to accept the specific cookie
created by the Custom SDK Agent, you have to enable in their ACO the
following parameters :

  SSOZoneName
  SSOTrustedZone

  Set up Security Zones

    You configure SSO security zones using two Agent Configuration
    Object (ACO) parameters:

      SSOZoneName Identifies an Agent's local zone by assigning it a
      name. The default name is "SM."

      SSOTrustedZone Lists zone names that an agent trusts.

    A single Web Agent instance supports only one local SSO zone, which
    you identify using the SSOZoneName parameter. An Agent implicitly
    trusts its local zone. Multiple zones cannot be named using the
    same Agent instance.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/web-agent-configuration/security-zones-for-single-sign-on.html

For SDK Agent, you'll find the description of the function that set it
here :

  Sm_AgentApi_CreateSSOToken()
 
    Syntax

     int SM_EXTERN Sm_AgentApi_CreateSSOToken (
 const void*                      pHandle,
 Sm_AgentApi_Session_t*           pSession,
 long                             nNumAttributes,
 Sm_AgentApi_Attribute_t*         pTokenAttributes,
 long*                            pNumSSOTokenLength, 
 char*                            lpszSSOToken
     );

     pToken Attributes

     SM_AGENTAPI_ATTR_SSOZONE The designation of the SSO zone name. If
     you do not specify a zone name, the default is "SM." This value
     is in the attribute list that is returned by the
     Sm_AgentApi_DecodeSSOToken method. Any other attribute is
     ignored.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/programming/sdks/programming-in-c/agent-api-function-declarations-c/sm-agentapi-createssotoken.html
Powered by Wolken Software