CookieProvider FCCCompatMode set to YES creating vulnerability in Advanced Authentication
search cancel

CookieProvider FCCCompatMode set to YES creating vulnerability in Advanced Authentication

book

Article ID: 263682

calendar_today

Updated On:

Products

CA Strong Authentication CA Advanced Authentication CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort)

Issue/Introduction

If Cookie Provider agent has FCCCompatMode set to yes (requires by Advanced Authentication), SSO does not work.

From the Vulnerability Report:

Customer applications share some of the same authentication cookies (e.g. SMSESSION), this reflected XSS could allow an attacker to retrieve cookies scoped to the parent domain (i.e. .example.com), which are used by other Customer applications. This increase in scope raised the impact of the issue to high.

Environment

Release : 9.1

Symantec Strong Authentication

Policy Server 12.8SP4, 12.8SP5

WebAgent 12.52sp01cr11

WebServer Apache httpd 2.4.55

Cause

FccCompatMode should be set to YES for AA and SSO integration to work.

Resolution

Advanced Auth and Siteminder teams worked on this and found a resolution to this limitation and now Siteminder AA flows work fine with FCCCompatMode=No.  

We tested the below fcc configuration changes (in siteminder 12.8 sp4,ca-wa-12.52-sp01-cr11 and AA environment )and enrolment and authentication flow worked fine with FCCCompatMode=No. 

Please follow the below suggestion to make the product work when ACO object FCCCompatMode=No is set.

To configure CA Advanced Authentication and CA Single Sign On (CA SSO) default flows with FCCCompatMode=No, edit FCC files and add the @smpasswordfcc=1 directive in the following FCC files:

Shim.fcc
Shim2.fcc
Shimfinal.fcc
Shimfinal2.fcc

SSO tech doc for reference is here.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/policy-overview/configure-authentication-of-resources-for-symantec-advanced-authentication-flows.html

The fcc files are attached to this KB for a reference as well.

Attachments

fcc_1681152795775.zip get_app