Validate Reject Invalid Session IP

book

Article ID: 211483

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running a Policy Server, often the authorization of a user to
access a resource fails and the Policy Server smaccess log reports :

   Invalid session ip 

This might occur despite the configuration of CustomIPHeader and
ProxyDefinitions (1).

 

Resolution

 

At first glance, if you don't wish IP checking you can easily override
this behavior by configuring TransientIPCheck="NO" (2).

Second, the ProxyDefinition cannot be a subnet. Even if the Front End
servers handles multiple IP's, CustomIPHeader accepts only 1 value for
a given Web Agent (3).

Third, you should know that if the Server is API Gateway, this one
handles only few ACO parameter for which CustomIPHeader isn't in the
list (4).

Web Agent in the actual code accepts only 1 IP from the value of
X-Forwarded-For (5).

In light of that, having configured :

If 

   customipheader = x-forwarded-for
   ProxyDefinitions = <emtpy>
Then 
 
   the CustomeIpHeader is used to resolve the Client IP.

If 

   customipheader = x-forwarded-for
   ProxyDefinitions = Ip1, Ip2

Then 

   then CustomIpHeader is only used if the actual ClientIp
   (REMOTE_ADDR) matches one of the defined proxy devices; otherwise,
   the normal ClientIp is used.

About AUTO value that you can set for ProxyDefinitions. 

AUTO means :

If we access from a Proxy and the Proxy is not in the list of
Proxydefinition, we allow access using Remote_Addr.

AUTO allows also direct access to the application by passing all
Proxies, as Web Agent allows access using Remote_Addr.

If AUTO is not set in Proxydefinition, but there's an IP set, then the
Web Agent will use Customipheader only if the Remote_Addr maches the
IP defined in Proxydefinition.

If Proxydefinition is not set in the ACO, then it has empty value by
default.

Finally, if neither CustomIpHeader nor ProxyDefinition is used, then
ClientIp is used as normal.

 

Additional Information

 

(1)

    Default HTTP Headers Used by the Product
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-7/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product.html


(2)

    Policy Server reporting "Invalid session ip"

      In Web Agent, we override this IP validation by setting the
      ACO parameter TransientIPCheck="NO".

    https://knowledge.broadcom.com/external/article?articleId=36892

(3)

    How works WebAgent ACO parameter CustomIPHeader

      [...]

      The Web Agent only accept 1 single value is motivated by security
      concerns.

      CustomIPHeader accepts single value because of security attacks
      possible if SiteMinder would allows multiple values :

      [...]

    https://knowledge.broadcom.com/external/article?articleId=36859 

(4)

    Can you suggest how to implement grace period

      As you know already, the Api Gateway only support 9 ACO at the moment :

 Fetch ACO Properties to the Gateway Policy for Composing SMSESSION
 Cookie with SSOToken

   The following list of ACO parameters compose the SMSESSION cookie string:

  ATTR_ACO_SSOZoneName constitutes SSOZoneName property
    ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property
    ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property
  ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property
    ATTR_ACO_UseSecureCookies is used to indicate secure flag
    ATTR_ACO_UseHttpOnlyCookies is used to indicate http only

    Note: Except for the above ACO parameters, Gateway does not use
  any other ACO parameters.

 https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/reference/context-variables/ca-single-sign-on-context-variables.html

    https://knowledge.broadcom.com/external/article?articleId=143720

(5)

    How works WebAgent ACO parameter CustomIPHeader

      [...]

      The Web Agent only accept 1 single value is motivated by security
      concerns.

      CustomIPHeader accepts single value because of security attacks
      possible if SiteMinder would allows multiple values :

      [...]

    https://knowledge.broadcom.com/external/article?articleId=36859