Query : GUID Cookie Validity Duration (Seconds)

book

Article ID: 205691

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running an AdminUI and when we configure a partnership, we'd
like to know the purpose of the following parameters :

  1. GUID Cookie Validity Duration (Seconds)
  2. Use Secure URL

What do these parameters actually ?

 

Environment

 

Policy Server 12.8SP3 on RedHat 6;
AdminUI 12.8SP3 on RedHat 6;

 

Resolution

 

At first glance, according to documentation :

  1. This is used to manage the Authnrequest state and make sure that
     the FED TEMPORARY STATE cookie is valid.

     As you've seen, this apply only if you select the Authentication
     Request Binding as HTTP-POST.

     During the Authnrequest as HTTP-POST, the IdP service will check
     the presence of the Fed temporary state cookie with the timestamp
     the GUID cookie provides.

     GUID Cookie Validity Duration (Seconds)

       Defines the timeperiod in seconds the GUID cookie is
       valid. Configure this value to manage the AuthnRequest state when
       the AuthnRequest binding is set to HTTP-POST.

     https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/federation-partnerships-reference/sso-and-slo-dialog-saml-2-0-idp.html

   Before this cookie had a fix timeout value of 3 minutes, now you
   see this functionality as you can set it :

     Federation GUID cookie has expiration of only 3 minutes

       For POST Authnrequest Bindings, we generate a persistent GUID
       cookie. By default, we set this cookie expiration time to 3
       minutes. Once the expiration time has passed, we end up with an
       error.
       
       Added new text field with name "GUID Cookie Validity Durartion
       (Seconds), in SAML2, IDP-SP Partnership, to provide value, when
       AuthnRequest POST Binding is selected. This value should be >=180
       and <=9999.

     https://knowledge.broadcom.com/external/article?articleId=7361

     Support for Configuring GUID Cookie Validity Duration

       From 12.52 SP1 CR08, the GUID Cookie Validity Duration
       (Seconds) parameter is added in the Administrative UI to manage
       the AuthnRequest state when the AuthnRequest binding is
       configured to HTTP-POST. The parameter defines the time period
       in seconds the GUID cookie is valid. Configure this value to
       manage the AuthnRequest state when the AuthnRequest binding is
       set to HTTP-POST.
  
     https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/release-notes/new-features/federation-new-features.html
     

  2. Is to encrypt the SMPORTALURL value :

     Use Secure URL

       This setting instructs the single sign-on service to encrypt only
       the SMPORTALURL query parameter. An encrypted SMPORTALURL
       prevents a malicious user from modifying the value and
       redirecting authenticated users to a malicious website. The
       SMPORTALURL is appended to the Authentication URL before the
       browser redirects the user to establish a session. After the user
       is authenticated, the browser directs the user back to the
       destination specified in the SMPORTALURL query parameter.

       If you select the User Secure URL check box, complete the
       following steps:

       1. Set the Authentication URL field to the following URL:
   http(s)://idp_server:port/affwebservices/secure/secureredirect

       2. Protect the secureredirect web service with a policy.

       If the asserting party serves more than one relying partner, the
       asserting party probably authenticates different users for these
       different partners. As a result, for each Authentication URL that
       uses the secureredirect service, include this web service in a
       different realm for each partner.

       To associate the secureredirect service with different realms,
       modify the web.xml file and create different resource
       mappings. Do not copy the secureredirect web service to different
       locations on your server. Locate the web.xml file in the
       directory web_agent_home/affwebservices/WEB-INF, where
       web_agent_home is the installed location of the web agent.

     https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/federation-partnerships-reference/sso-and-slo-dialog-saml-2-0-idp.html

  And this features allow you to fix some possible vulnerabilities :

     Federation SMPORTALURL vulnerability

       How can the Federation SMPORTALURL be secured from OpenRedirect
       Vulnerability as today it can be manipulated and user can be
       redirected to a malicious target .

       - The SMPORTALURL Vulnerability was addressed within 12.52 SP2
         Release where a "Use Secure URL" check box was introduced to
         encrypt only the SMPORTALURL query parameter.

     https://knowledge.broadcom.com/external/article?articleId=12269

As Authnrequest HTTP-POST is supported only in Partnership, this
doesn't apply to Legacy Federation.