Sessionlinker NOBLOT redirect not triggered in CA Access Gateway (SPS)
search cancel

Sessionlinker NOBLOT redirect not triggered in CA Access Gateway (SPS)

book

Article ID: 214230

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

When running Session Linker on CA Access Gateway (SPS), when the request has no valid session, then the Session Linker doesn't redirect the browser to the configured URL.

It's noted also that the CA Access Gateway (SPS) Agent logs and traces don't report any errors or processing.

Cause

The CA Access Gateway (SPS) is not configured to process authorization, and as Session Linker acts at the authorization phase, there's no cookie validation with the backend expected cookie.

sps.log:

[13992/140153716033280][Tue May 04 2021 13:53:20] enableauthorization=no
[13992/140153716033280][Tue May 04 2021 13:53:20] sessionlinker=Cookie=Cookie;COOKIEPATH=/;COOKIEDOMAIN=example.com;NOBLOT;URL=/backend

sps.trace:

[05/04/2021][13:55:58][13992][140152556812032][][CSmSessionManager::EstablishSession][SM_WAF_SESSIONLINKER_PLUGIN->EstablishSession returned SmNoAction.]
[05/04/2021][13:55:58][13992][140152556812032][][CSmSessionManager::EstablishSession][Calling SM_WAF_CERTSESSIONLINKER_PLUGIN->EstablishSession.]
[05/04/2021][13:55:58][13992][140152556812032][][CSmSessionManager::EstablishSession][SM_WAF_CERTSESSIONLINKER_PLUGIN->EstablishSession returned SmNoAction.]
[05/04/2021][13:55:58][13992][140152556812032][][IsResourceProtected][Resource is protected from cache.]
[05/04/2021][13:55:58][13992][140152556812032][][CSmSessionManager::CreateSession][Calling SM_WAF_SESSIONLINKER_PLUGIN->CreateSession.]
[05/04/2021][13:55:58][13992][140152556812032][][CSmSessionManager::CreateSession][SM_WAF_SESSIONLINKER_PLUGIN->CreateSession returned SmNoAction.]
[05/04/2021][13:55:58][13992][140152556812032][][CSmSessionManager::CreateSession][Calling SM_WAF_CERTSESSIONLINKER_PLUGIN->CreateSession.]
[05/04/2021][13:55:58][13992][140152556812032][][CSmSessionManager::CreateSession][SM_WAF_CERTSESSIONLINKER_PLUGIN->CreateSession returned SmNoAction.]
[05/04/2021][13:55:58][13992][140152556812032][][ProcessRequest][ Authorization is skipped as it is not enabled. AuthenticationManager returned SmYes, end new request.]

When SPS is configured to process authorization (EnableAuthorization set to yes), then the Session Linker reports actions like "Protection", "Authentication" and "Authorization" on CA Access Gateway (SPS):

When the backend application sends a cookie:

[05/03/2021][11:48:14][7700][139625296123648][][ProcessResponses][Calling SM_WAF_SESSIONLINKER_PLUGIN->ProcessResponses.]
[05/03/2021][11:48:14][7700][139625296123648][][CSmSessionLinkerPlugin::ProcessResponses][SMSERVERSESSIONID = <value>]
[05/03/2021][11:48:14][7700][139625296123648][][CSmSessionLinkerPlugin::ProcessResponses][SMTIMETOEXPIRE = 7200]
[05/03/2021][11:48:14][7700][139625296123648][][CSmSessionLinkerPlugin::ProcessResponses][ForeignSessionIdentifier=Cookie, SmSessionID=<value>, ForeignSessionValue=<value>]
[05/03/2021][11:48:14][7700][139625296123648][][CSmSessionLinkerPlugin::ProcessResponses][New Link Added.]

When the backend application doesn't send cookies:  

[05/03/2021][11:56:47][7700][139625294018304][][CSmSessionLinkerPlugin::ProcessResponses][SMSERVERSESSIONID = <value>]
[05/03/2021][11:56:47][7700][139625294018304][][CSmSessionLinkerPlugin::ProcessResponses][SMTIMETOEXPIRE = 7200]
[05/03/2021][11:56:47][7700][139625294018304][][CSmSessionLinkerPlugin::ProcessResponses][ForeignSessionIdentifier=Cookie, SmSessionID=<value>, ForeignSessionValue=<value>]
[05/03/2021][11:56:47][7700][139625294018304][][CSmSessionLinkerPlugin::ProcessResponses][Bad link. Blotting the cookie. (This usually indicates cookie tampering4.)]
[05/03/2021][11:56:47][7700][139625294018304][][CSmSessionLinkerPlugin::ProcessResponses][Bad link. Displaying error. This usually indicates cookie tampering.]
[05/03/2021][11:56:47][7700][139625294018304][][CSmSessionLinkerPlugin::ProcessResponses][Bad link. Redirecting to URL '/backend'. (This usually indicates cookie tampering.)]
[05/03/2021][11:56:47][7700][139625294018304][][ProcessResponses][SM_WAF_SESSIONLINKER_PLUGIN->ProcessResponses returned SmFailure.]

Enable the authorization processing on the CA Access Gateway (SPS) when the SPS shows log line (1):

Authorization is skipped as it is not enabled. AuthenticationManager returned SmYes, end new request.

Resolution

In the CA Access Gateway (SPS) ACO set the following parameter to solve the issue:

EnableAuthorization to yes 

Additional Information

Powered by Wolken Software