ATTR_CLIENTIP getting populated even though Check IP is not checked, CA SSO SDK returns "ValidateReject " error: Invalid session ip
Article ID: 374574
Updated On:
Products
Issue/Introduction
We are upgrading to API Gateway 11.1 from 9.2
In the 9.2 gateway we do not get an IP in ATTR_CLIENTIP (nor do we want one)
However in 11.1 we do get an IP, and this is causing a problem with siteminder when the token is passed to another server which uses the CA SSO SDK to validate it, we get this returned:
ValidateReject <sso-server> [09/Aug/2024:16:50:39 -0400] "xx.xx.xx.xx " "<host name> GET /" [] [9] Invalid session ip [] []
If we swap back to the 9.2 API gateway that issue goes away.
Environment
ssg 11.1
Cause
The SSO attribute has been populated since it was add in Gateway 9.4 this is to support IP Checking SmAgentTli_ClientIp SSO, string If the IP Check is check in policy manager then the Gateway SSO assertion will check the IP address in the session matches the caller IP Header. Customer siteminder server version is old and does not support Check IP filed in the gateway 11.1.
Resolution
Upgrade siteminder version to 12.8.06
Feedback
