Validate Reject Invalid Session IP in Policy Server
search cancel

Validate Reject Invalid Session IP in Policy Server

book

Article ID: 211483

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running a Policy Server, often the authorization of a user to access a resource fails, and the Policy Server smaccess log reports:

   Invalid session ip 

This might occur despite the configuration of CustomIPHeader and ProxyDefinitions (1).

 

Resolution

 

At first glance, if IP checking is not needed, override this behavior by configuring TransientIPCheck="NO" (2).

Second, the ProxyDefinition cannot be a subnet. Even if the Front End servers handle multiple IPs, CustomIPHeader accepts only 1 value for a given Web Agent (3).

Third, if the Server is API Gateway, this one handles only a few ACO parameters for which CustomIPHeader isn't in the list (4).

Web Agent in the actual code accepts only 1 IP from the value of X-Forwarded-For (3).

In light of that, having configured :

If 

  customipheader = x-forwarded-for
  ProxyDefinitions = <empty>

Then


   the CustomeIpHeader is used to resolve the Client IP.

If 

   customipheader = x-forwarded-for
   ProxyDefinitions = Ip1, Ip2

Then 

   The CustomIpHeader is only used if the actual ClientIp (REMOTE_ADDR) matches one of the defined proxy devices; otherwise, the normal ClientIp is used.

About AUTO value that can be set for ProxyDefinitions.

AUTO means :

  • If accessing from a Proxy and the Proxy is not in the list of Proxydefinition, allow access using Remote_Addr.
  • AUTO allows also direct access to the application by passing all Proxies, as Web Agent allows access using Remote_Addr.
  • If AUTO is not set in Proxydefinition, but there's an IP set, then the Web Agent will use Customipheader only if the Remote_Addr matches the IP defined in Proxydefinition.
  • If Proxydefinition is not set in the ACO, then it has an empty value by default.

Finally, if neither CustomIpHeader nor ProxyDefinition is used, then ClientIp is used as normal.

 

Additional Information

 

(1)

    Default HTTP Headers Used by the Product
    

(2)

    Error: Invalid session ip in Policy Server

      In Web Agent, this IP validation can be overridden by setting the ACO parameter TransientIPCheck="NO".

    

(3)

    How works WebAgent ACO parameter CustomIPHeader

      [...]

      The Web Agent only accepts 1 single value motivated by security concerns.

      CustomIPHeader accepts a single value because security attacks are possible if SiteMinder would allow multiple values:
      
      [...]

     

(4)

    Can you suggest how to implement grace period

      As you know already, the Api Gateway only support 9 ACO at the moment :

       Fetch ACO Properties to the Gateway Policy for Composing SMSESSION
       Cookie with SSOToken

         The following list of ACO parameters compose the SMSESSION cookie string:

           ATTR_ACO_SSOZoneName constitutes SSOZoneName property
           ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property
           ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property
           ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property
           ATTR_ACO_UseSecureCookies is used to indicate secure flag
           ATTR_ACO_UseHttpOnlyCookies is used to indicate http only

         Note: Except for the above ACO parameters, Gateway does not use
         any other ACO parameters.

      https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/reference/context-variables/ca-single-sign-on-context-variables.html