CA Single Sign On Secure Proxy Server (SiteMinder)CA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-OnCA Single Sign On Agents (SiteMinder)SITEMINDER
Issue/Introduction
How does the ACO parameter customipheader works?
What is the expected behavior among these 4 configurations of that parameter:
When there's no header;
When the header is set to one value;
When the header is set with 2 values;
When the header is set with n > 2 values.
Resolution
By default, the Web Agent obtains the requesting client's IP address from the Web Server variable REMOTE_ADDR (Remote Address) that the Web Server sets for a particular request.
The Web Agent stores the client's IP address as the value in the SMSESSION cookie.
The Web Agent only accepts 1 single value motivated by security concerns.
CustomIPHeader accepts a single value, because security attacks are possible if SiteMinder would allow multiple values:
Sample of an attack:
"<user1>" logs into SiteMinder with IP 10.0.0.1;
"<user2>" has IP 192.168.1.1;
"<user2>" captures "<user1>'s" SiteMinder credential and learns its IP;
"<user2>" configures his browser to send "<user1>'s" cookie along with the header "x-forwarded-for: 10.0.0.1";
"<user2>" issues a request to MyHR, ENET, or Authoria;
Proxy modifies the XFF(X-Forwarded-For) header to be "10.0.0.1,192.168.1.1";
The Web Agent runs the IP check;
The credential contains IP 10.0.0.1;
The REMOTE_ADDR is a Proxy, so XFF will be used;
The first 15 characters of XFF are 10.0.0.1;
IP check passes because 10.0.0.1 = 10.0.0.1;
"<user2>" is interactively logged into ACS applications as "<user1>".