How works WebAgent ACO parameter CustomIPHeader


Article ID: 36859


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


Question :

I want to know how the ACO parameter customipheader works.
I wanted to know the expected behaviour among these 4 configurations
of that parameter :
1 - when there's no header
2 - when the header is set with one value;
3 - when the header is set with 2 values;
4 - when the header is set with n > 2 values
Answer :
By default, the Web Agent obtains the requesting client's IP address
from the Web Server variable REMOTE_ADDR (Remote Address) that the Web
Server sets for a particular request. The Web Agent stores the
client's IP address as value in the SMSESSION cookie.
The Web Agent only accept 1 single value is motivated by
security concerns :

CustomIPHeader accepts single value because of security attacks
possible if SiteMinder would allows multiple values :
An Example Attack
1 - "Alice" logs into SiteMinder with IP
2 - "Mallory" has IP
3 - "Mallory" captures "Alice's" SiteMinder credential and learns her
4 - "Mallory" configures his browser to send "Alice's" cookie along
    with the header "x-forwarded-for:".
5 - Mallory issues a request to MyHR, ENET, or Authoria.
6 - Proxy modifies the XFF(X-Forwarded-For) header to be

7 - The Web Agent runs the IP check
8 - The credential contains IP
9 - The REMOTE_ADDR is Proxy, so XFF will be used.
10 - The first 15 characters of XFF are
11 - IP check passes, because =
12 - Mallory is interactively logged into ACS applications as Alice."


Component: SMAPC