Tracksessiondomain parameter in ACO and use FQDN as the cookie domain

book

Article ID: 40655

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Problem: 

In the following ACO configuration, users get HTTP 500 in the browser and [10-0017] error in the agent log while trying to login to “http://test.ca.com”.

Note: The FQHN(http://test.ca.com) and the cookiedomain(cookiedomain=test.ca.com) are the same value.

1.    Tracksessiondomain=Yes

2.    FccCompatMode=Yes

3.    Cookiedomain=test.ca.com

Following is a sample from login agent trace log.

[01/24/2015][14:12:21][5144][2144][SmAdvancedAuthCore.cpp:916][SmAdvancedAuthCore::validateTargetDomain][000000000000000000000000d32611ac-1418-543eb905-0860-01944823][XX.XX.XX.XX][][][/index.html][][Target hostname:test.ca.com does not contain cookieDomain: test.ca.com]

[01/24/2015][14:12:21][5144][2144][SmAdvancedAuthCore.cpp:162][SmAdvancedAuthCore::GatherCredentials][000000000000000000000000d32611ac-1418-543eb905-0860-01944823][XX.XX.XX.XX][][][/index.html][][Validating target for 4.x compatibility mode.]

[01/24/2015][14:12:21][5144][2144][SmAdvancedAuthCore.cpp:168][SmAdvancedAuthCore::GatherCredentials][000000000000000000000000d32611ac-1418-543eb905-0860-01944823][*XX.XX.XX.XX][][][/index.html][][Target domain does not match the local domain. Will not redirect the user to the target.]

Environment:  

12.51, 12.52 Agents

Cause: 

The behavior of validating target domain is different in 4x compatible mode(FccCompatMode=Yes) when compared to normal mode(FccCompatMode=No).

In normal mode, target is validated based on the entries in the ACO validTargetDomain, if the list is empty user is not redirected to the target.

Whereas in 4xcompat mode, if the entries in the ACO ValidTargetDomain are empty, then user is validated based on cookie domain.

Example:

If FccCompatmode=Yes, User is Authenticated but not redirected to the target. User will see error 500 in the browser.

If FccCompatmode=No, User is Authenticated and redirected to the target.

Resolution:

1. Run the agent in Normal Mode(FccCompatMode=No) if you want to use the cookie domain as same as hostname.

2. If you want to run your agent in 4x Compatible Mode(FccCompatMode=Yes), you have to make sure that cookie domain is part of hostname not the FQDN.

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: