How works WebAgent ACO parameter CustomIPHeader
search cancel

How works WebAgent ACO parameter CustomIPHeader

book

Article ID: 36859

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign On Agents (SiteMinder) SITEMINDER SITEMINDER

Issue/Introduction

 

How does the ACO parameter customipheader works?

What is the expected behavior among these 4 configurations of that parameter:

  1. When there's no header;
  2. When the header is set with one value;
  3. When the header is set with 2 values;
  4. When the header is set with n > 2 values;

Resolution

 

By default, the Web Agent obtains the requesting client's IP address from the Web Server variable REMOTE_ADDR (Remote Address) that the Web Server sets for a particular request. The Web Agent stores the client's IP address as the value in the SMSESSION cookie.
 
The Web Agent only accepts 1 single value motivated by security concerns.

CustomIPHeader accepts a single value because security attacks are possible if SiteMinder would allow multiple values:

Sample of an attack:

  1. "Alice" logs into SiteMinder with IP 111.111.111.111;
  2. "Mallory" has IP 2.2.2.2;
  3. "Mallory" captures "Alice's" SiteMinder credential and learns her IP;
  4. "Mallory" configures his browser to send "Alice's" cookie along with the header "x-forwarded-for: 111.111.111.111";
  5. "Mallory" issues a request to MyHR, ENET, or Authoria;
  6. Proxy modifies the XFF(X-Forwarded-For) header to be "111.111.111.111,2.2.2.2";
  7. The Web Agent runs the IP check;
  8. The credential contains IP 111.111.111.111;
  9. The REMOTE_ADDR is a Proxy, so XFF will be used;
  10. The first 15 characters of XFF are 111.111.111.111;
  11. IP check passes because 111.111.111.111 = 111.111.111.111;
  12. "Mallory" is interactively logged into ACS applications as "Alice";