Post-authentication redirect to TARGET is relative redirect when full URL is expected

book

Article ID: 242206

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Customer has an application that is protected with IWA authentication.  When users attempt to access this app, they are being successfully authenticated, however, after authentication they are redirected to the correct TARGET URI, but on the wrong host.  This problem does not occur when other authentication schemes are used.  The TargetAsRelativeURI ACO parameter is explicitly set to NO on this web agent.

Cause

The customer had a policy redirect response that was overwriting the expected redirect that occurs by default after authentication.  The Web Agent processes the default authentication redirect to the TARGET prior to processing OnAuthAccept responses, and thus why the OnAuthAccept redirect response prevailed.  Because the IWA auth scheme and the TARGET resource were served from separate hosts, this resulted in an error for the users.  The other auth schemes with which the customer tested were served by the same host as the TARGET resource, thus the relative redirect worked without error in these tests.

From the Web Agent trace log we can see that the correct authentication redirect to the TARGET was issued before being overwritten by a policy authentication response:

[05/12/2022][17:20:08][944][9916][48e96fbb-7cd533b6-90cfa2c8-ad6102c6-5f462804-d][HandleCredCollectorReturn][POST preservation, handling return from credential collector.]
[05/12/2022][17:20:08][944][9916][48e96fbb-7cd533b6-90cfa2c8-ad6102c6-5f462804-d][HandleCredCollectorReturn][http response https://www.xyz.com/pwim.web/default.aspx]
[05/12/2022][17:20:08][944][9916][48e96fbb-7cd533b6-90cfa2c8-ad6102c6-5f462804-d][CSmCredentialManager::GatherAdvancedAuthCredentials][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]
[05/12/2022][17:20:08][944][9916][48e96fbb-7cd533b6-90cfa2c8-ad6102c6-5f462804-d][CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_AG_PLUGIN->ProcessAdvancedAuthCredentials.]
[05/12/2022][17:20:08][944][9916][48e96fbb-7cd533b6-90cfa2c8-ad6102c6-5f462804-d][CSmCredentialManager::GatherAdvancedAuthCredentials][SM_WAF_AG_PLUGIN->ProcessAdvancedAuthCredentials returned SmNoAction.]
[05/12/2022][17:20:08][944][9916][48e96fbb-7cd533b6-90cfa2c8-ad6102c6-5f462804-d][AuthenticateUser][User 'XXXX\xxxxxxx' is authenticated by Policy Server.]
[05/12/2022][17:20:08][944][9916][48e96fbb-7cd533b6-90cfa2c8-ad6102c6-5f462804-d][ProcessResponses][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]
[05/12/2022][17:20:08][944][9916][48e96fbb-7cd533b6-90cfa2c8-ad6102c6-5f462804-d][CSmHttpPlugin::ProcessResponses][Processing Authentication responses.]
[05/12/2022][17:20:08][944][9916][48e96fbb-7cd533b6-90cfa2c8-ad6102c6-5f462804-d][CSmHttpPlugin::GenerateNTCChallengeDoneCookie][Generating SMCHALLENGE=NTC_CHALLENGE_DONE set-cookie response header.]
[05/12/2022][17:20:08][944][9916][48e96fbb-7cd533b6-90cfa2c8-ad6102c6-5f462804-d][CSmHttpPlugin::ProcessResponses][Setting custom HTTP header variable: 'HTTP_sn=Xxxxxx']
[05/12/2022][17:20:08][944][9916][48e96fbb-7cd533b6-90cfa2c8-ad6102c6-5f462804-d][CSmHttpPlugin::ProcessResponses][Setting custom HTTP header variable: 'HTTP_givenName=Xxxxx']
[05/12/2022][17:20:08][944][9916][48e96fbb-7cd533b6-90cfa2c8-ad6102c6-5f462804-d][CSmHttpPlugin::ProcessResponses][Executing redirect response: '/pwim.web/default.aspx']

Environment

Release : 12.8.03

Component : SITEMINDER SECURE PROXY SERVER & SITEMINDER WEB AGENTS

Resolution

Examine the Web Agent trace log to see how the redirect after authentication is being handled.  As per the log snippet above, the default redirect to the TARGET after authentication is handled by the [HandleCredCollectorReturn] code, while policy responses that could overwrite the default redirect response will be handled by the [CSmHttpPlugin::ProcessResponses] code.