search cancel

Sessionlinker NOBLOT redirect not triggered

book

Article ID: 214230

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running Session Linker on CA Access Gateway (SPS), when request
has no valid session, then the Session Linker doesn't redirect the
browser to the configured URL. It's noted also that the CA Access
Gateway (SPS) Agent logs and traces don't report any error or
processing.

 

Cause

 

We see that CA Access Gateway (SPS) is not set to process
authorization and as Session Linker acts at authorization phase, then
there's no cookie validation with the backend expected cookie.

sps.training.com.log :

  [13992/140153716033280][Tue May 04 2021 13:53:20] enableauthorization=no
  [13992/140153716033280][Tue May 04 2021 13:53:20] sessionlinker=Cookie=TestCookie;COOKIEPATH=/;COOKIEDOMAIN=training.com;NOBLOT;URL=/backend
  
sps.training.com.trace :
  [05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
  [CSmSessionManager::EstablishSession][SM_WAF_SESSIONLINKER_PLUGIN->EstablishSession returned SmNoAction.]

  [05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
  [CSmSessionManager::EstablishSession][Calling SM_WAF_CERTSESSIONLINKER_PLUGIN->EstablishSession.]

  [05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
  [CSmSessionManager::EstablishSession][SM_WAF_CERTSESSIONLINKER_PLUGIN->EstablishSession returned SmNoAction.]

  [05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
  [IsResourceProtected][Resource is protected from cache.]

  [05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
  [CSmSessionManager::CreateSession][Calling SM_WAF_SESSIONLINKER_PLUGIN->CreateSession.]

  [05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
  [CSmSessionManager::CreateSession][SM_WAF_SESSIONLINKER_PLUGIN->CreateSession returned SmNoAction.]

  [05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
  [CSmSessionManager::CreateSession][Calling SM_WAF_CERTSESSIONLINKER_PLUGIN->CreateSession.]

  [05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
  [CSmSessionManager::CreateSession][SM_WAF_CERTSESSIONLINKER_PLUGIN->CreateSession returned SmNoAction.]

  [05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
  [ProcessRequest][ Authorization is skipped as it is not enabled. AuthenticationManager returned SmYes, end new request.]

When SPS is configure to process authorization (EnableAuthorization
set to yes), then we see Session Linker reporting actions :

Protection, Authentication and Authorization on SPS :

When the backend application sends cookie :

  [05/03/2021][11:48:14][7700][139625296123648][3f59a3f1-d5bd4899-50cb55a8-964aded5-5442af65-59]
  [ProcessResponses][Calling SM_WAF_SESSIONLINKER_PLUGIN->ProcessResponses.]

  [05/03/2021][11:48:14][7700][139625296123648][3f59a3f1-d5bd4899-50cb55a8-964aded5-5442af65-59]
  [CSmSessionLinkerPlugin::ProcessResponses][SMSERVERSESSIONID = YGjhyAYRDToLAMQVvKtKXh7y/7U=]

  [05/03/2021][11:48:14][7700][139625296123648][3f59a3f1-d5bd4899-50cb55a8-964aded5-5442af65-59]
  [CSmSessionLinkerPlugin::ProcessResponses][SMTIMETOEXPIRE = 7200]

  [05/03/2021][11:48:14][7700][139625296123648][3f59a3f1-d5bd4899-50cb55a8-964aded5-5442af65-59]
  [CSmSessionLinkerPlugin::ProcessResponses][ForeignSessionIdentifier=TestCookie, 
  SmSessionID=YGjhyAYRDToLAMQVvKtKXh7y/7U=, ForeignSessionValue=hello+world]

  [05/03/2021][11:48:14][7700][139625296123648][3f59a3f1-d5bd4899-50cb55a8-964aded5-5442af65-59]
  [CSmSessionLinkerPlugin::ProcessResponses][New Link Added.]

When the backend application doesn't send cookie :

  [05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
  [CSmSessionLinkerPlugin::ProcessResponses][SMSERVERSESSIONID = TGP4a+kOzVb8Ebbo/kjNIAfxSTI=]

  [05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
  [CSmSessionLinkerPlugin::ProcessResponses][SMTIMETOEXPIRE = 7200]

  [05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
  [CSmSessionLinkerPlugin::ProcessResponses][ForeignSessionIdentifier=TestCookie, 
  SmSessionID=TGP4a+kOzVb8Ebbo/kjNIAfxSTI=, ForeignSessionValue=hello+world]

  [05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
  [CSmSessionLinkerPlugin::ProcessResponses][Bad link. Blotting the cookie. (This usually indicates cookie tampering4.)]

  [05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
  [CSmSessionLinkerPlugin::ProcessResponses][Bad link. Displaying error. This usually indicates cookie tampering.]

  [05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
  [CSmSessionLinkerPlugin::ProcessResponses][Bad link. Redirecting to URL '/backend'. (This usually indicates cookie tampering.)]

  [05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
  [ProcessResponses][SM_WAF_SESSIONLINKER_PLUGIN->ProcessResponses returned SmFailure.]

As per a KD (1), you have to enable authorization processing on the CA
Access Gateway (SPS) when the SPS shows log line :

  Authorization is skipped as it is not enabled. AuthenticationManager returned SmYes, end new request.

 

Resolution

 

In the CA Access Gateway (SPS) ACO set the following parameter :

  EnableAuthorization to yes 

 

Additional Information

 

(1)

    Custom HTTP response headers missing

      Authorization is skipped as it is not enabled. AuthenticationManager
      returned SmYes, end new request

      [...]

      EnableAuthorization to yes (or
      comment out as the default value is yes)

    https://knowledge.broadcom.com/external/article/136122/custom-http-response-headers-missing.html