When running a Policy Server, often the authorization of a user to access a resource fails, and the Policy Server smaccess log reports:
Invalid session ip
This might occur despite the configuration of CustomIPHeader and ProxyDefinitions (1).
At first glance, if IP checking is not needed, override this behavior by configuring TransientIPCheck="NO" (2).
Second, the ProxyDefinition cannot be a subnet. Even if the Front End servers handle multiple IPs, CustomIPHeader accepts only 1 value for a given Web Agent (3).
Third, if the Server is API Gateway, this one handles only a few ACO parameters for which CustomIPHeader isn't in the list (4).
Web Agent in the actual code accepts only 1 IP from the value of X-Forwarded-For (3).
In light of that, having configured :
If
customipheader = x-forwarded-for
ProxyDefinitions = <empty>
Then
the CustomeIpHeader is used to resolve the Client IP.
If
customipheader = x-forwarded-for
ProxyDefinitions = Ip1, Ip2
Then
The CustomIpHeader is only used if the actual ClientIp (REMOTE_ADDR) matches one of the defined proxy devices; otherwise, the normal ClientIp is used.
About AUTO value that can be set for ProxyDefinitions.
AUTO means :
Finally, if neither CustomIpHeader nor ProxyDefinition is used, then ClientIp is used as normal.
(1)
Default HTTP Headers Used by the Product
(2)
Error: Invalid session ip in Policy Server
In Web Agent, this IP validation can be overridden by setting the ACO parameter TransientIPCheck="NO".
(3)
How works WebAgent ACO parameter CustomIPHeader
[...]
The Web Agent only accepts 1 single value motivated by security concerns.
CustomIPHeader accepts a single value because security attacks are possible if SiteMinder would allow multiple values:
[...]
(4)
Can you suggest how to implement grace period
As you know already, the Api Gateway only support 9 ACO at the moment :
Fetch ACO Properties to the Gateway Policy for Composing SMSESSION
Cookie with SSOToken
The following list of ACO parameters compose the SMSESSION cookie string:
ATTR_ACO_SSOZoneName constitutes SSOZoneName property
ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property
ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property
ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property
ATTR_ACO_UseSecureCookies is used to indicate secure flag
ATTR_ACO_UseHttpOnlyCookies is used to indicate http only
Note: Except for the above ACO parameters, Gateway does not use
any other ACO parameters.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/reference/context-variables/ca-single-sign-on-context-variables.html