In a SDM/SIteminder integrated environment, I am able to login to SDM via Siteminder login control. However, when attempting to use SDM (example: searching for a list of tickets), I get an error 403. How to fix this error?

Service Desk Manager - All Versions

403 error is likely caused by the Web Agent's cross-site scripting protection.  In case of attempting to get a list of tickets, here's the HTTP GET operation the browser attempts against SDM web server:

https://ServiceDeskHost.company.com/CAisd/pdmweb.exe?SID=1517842111+FID=8938+OP=SEARCH+FACTORY=cr+KEEP.where_clause=assignee%20%3D%20U%2796AAC8C00D24DB43839737F8382ABE4D%27%20AND%20%28type%20%3D%20%27R%27%20OR%20type%20%3D%20%27%27%20OR%20type%20IS%20NULL%29%20AND%20active%20%3D%201 HTTP/1.1 

We can see that URL causing the error contains some single quotes, and the single quote character is in the default list of BadCSSChars. BadCSSChars is an agent parameter and can be updated by editing the corresponding Agent Configuration Object on the Policy Server. 

Here is the information regarding this feature from the Web Agent Configuration Guide: 

BadCSSChars 

If specified, overrides the default cross-site scripting character set with the characters of your choice. Include the entire string of characters that you want. 

Default: (<,',>) 

Example: <,> (In which case, the agent scans only for the left and right angle brackets) 

Limits: 

You can specify the characters literally. 

You can specify a maximum number of 4096 characters (including commas that are used for separating the characters). 

You can specify ranges of characters that are separated with hyphens. The syntax is: starting_character-ending_character. For example, you can enter a-z as a range of characters. 

Specify the quotes (") with the URL-encoded equivalent of %22. Do not use ASCII. 

If the agent detects a problem related to the character set, it returns an Access Denied message to the user, and the logs the following message in the Agent error log: 

Caught Possible Cross Site Scripting Violation in URL. Exiting with HTTP 403 ACCESS FORBIDDEN. 

Some applications require the use of the quote characters in the query string, irrespective of the web server platform. For example, some Domino applications, such as iNotes Web Access, require the use of single quotes. 

To use applications that require quotes in the query string, remove quotation marks from the BadCssChars parameter. 

Update the relevant Siteminder Agent Configuration object (ACO) to remove the single quote (') from the BadCSSChars list.  Refresh cache/restart agents for the change to take place.