Tracksessiondomain parameter in ACO and use FQDN as the cookie domain

book

Article ID: 40655

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

We're running a Web Agent, and in the following ACO configuration,
users get HTTP 500 in the browser and [10-0017] error in the agent log
while trying to login to “http://test.ca.com”.

Note: The FQDN (http://test.ca.com) and the cookiedomain
(cookiedomain=test.ca.com) have the same value.

  1.    Tracksessiondomain=Yes
  2.    FccCompatMode=Yes
  3.    Cookiedomain=test.ca.com

Following is a sample from login agent trace log :

  [01/24/2015][14:12:21][5144][2144][SmAdvancedAuthCore.cpp:916][SmAdvancedAuthCore::validateTargetDomain]
  [000000000000000000000000d32611ac-1418-543eb905-0860-01944823][XX.XX.XX.XX][][][/index.html][]
  [Target hostname:test.ca.com does not contain cookieDomain: test.ca.com]

  [01/24/2015][14:12:21][5144][2144][SmAdvancedAuthCore.cpp:162][SmAdvancedAuthCore::GatherCredentials]
  [000000000000000000000000d32611ac-1418-543eb905-0860-01944823][XX.XX.XX.XX][][][/index.html][]
  [Validating target for 4.x compatibility mode.]

  [01/24/2015][14:12:21][5144][2144][SmAdvancedAuthCore.cpp:168][SmAdvancedAuthCore::GatherCredentials]
  [000000000000000000000000d32611ac-1418-543eb905-0860-01944823][*XX.XX.XX.XX][][][/index.html][]
  [Target domain does not match the local domain. Will not redirect the user to the target.]

How can we fix this ?

 

Cause

 

The behavior of validating target domain is different in 4x compatible
mode(FccCompatMode=Yes) when compared to normal
mode(FccCompatMode=No).

In normal mode, target is validated based on the entries in the ACO
validTargetDomain, if the list is empty user is not redirected to the
target.

Whereas in 4xcompat mode, if the entries in the ACO ValidTargetDomain
are empty, then user is validated based on cookie domain.

Example:

If FccCompatmode=Yes, User is Authenticated but not redirected to the
target. User will see error 500 in the browser.

If FccCompatmode=No, User is Authenticated and redirected to the
target.

 

Environment

 

  12.51, 12.52 Agents

 

Resolution

 

1. Run the agent in Normal Mode(FccCompatMode=No) if you want to use
   the cookie domain as same as hostname.

2. If you want to run your agent in 4x Compatible
   Mode(FccCompatMode=Yes), you have to make sure that cookie domain is
   part of hostname not the FQDN.