Client IP and SMSESSION IP do not match after WAOP upgrade
search cancel

Client IP and SMSESSION IP do not match after WAOP upgrade

book

Article ID: 4195

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Customer upgraded Web Agent Option Pack from r12.0 to r12.52 SP1CR5.
User logon to centralized web agent resource first and then initiate Unsolicited(IDP Initiated) federation.
After that, when navigating back to the normal web agent resources, the user session is being rejected with following error at the webagent trace log.
Client IP and SMSESSION IP do not match

Environment:

  • Policy Server : R12.52 and above
  • Policy Server OS : Any
  • Web Agent : 12.52 and above (Both login and IDP)
  • Web Agent Option Pack : 12.51 and above
  • Configuration

 

Configuration:

  • Customer has Transient IP check enabled on the centralized Login Web Agent. (different from IDP Web agent)
  • Customer has Transient IP check disabled on the IDP Web Agent as well as IDP WAOP
  • All Web Agent and Web Agent Option Pack are behind the Load Balancer
  • CustomIPheader is configured for Login Web Agent, IDP Web Agent and WAOP ACO

Environment

Release: ETRSBB99000-12.52-SiteMinder-B to B
Component:

Cause

In r12.0 version of Web Agent Option Pack, it did NOT generate SMSESSION cookie on successful validation of existing SMSESSION cookie.

However, r12.51 onwards, Web Agent Option Pack does generate SMSESSION cookie.

But unlike normal web agent it doesn't support the CustomIPHeader ACO parameter.

So, when it creates the SMSESSION cookie it resolves client IP as follows :

  • It first reads the SM_CLIENT_IP header, if it has the value, it uses this.
  • If SM_CLIENT_IP header is empty it uses the Proxy IP as the client IP. The Proxy IP is usually the Load Balancer IP.

Now, the normal Web Agent sets this SM_CLIENT_IP header to the actual browser IP address only if either TransientIPCheck or PersistentIPCheck is enabled.

As, in this case neither TransientIPCheck nor PersistentIPCheck was enabled on the IDP Web agent, it wasn't setting this SM_CLIENT_IP header as a result the WAOP was using the Proxy IP while creating SMSESSION cookie.

Now, when this SMSESSION cookie created by WAOP is submitted to normal agent the IP validation fails as the resolved client IP (resolved from CustomIPHeader) and the one in the SMSESSION cookie does not match.

Resolution

Enable either Transient IP check or Persistent IP check on the IDP Web Agent as well. 

Resolution:

CA might support CustomIPHeader for Web Agent Option Pack in the future release. At this time of writing it doesn't support it.