Error: Request doesn't contain session ID header Federation request
search cancel

Error: Request doesn't contain session ID header Federation request

book

Article ID: 46019

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

Setting up a Federation between two different environments, on both sides, SiteMinder acts as IDP and SP.

  1. Dev is acting as IDP and test is acting as SP;
  2. The journey is IDP initiated transaction. The user entered credentials after getting to the login page and submit;
  3. After that the request is going in a loop between public/saml2sso and authentication URL;
  4. From the FWStrace logs, below is the error message in the logs
[05/17/2016][08:30:07][12418][2661268336][][FWSBase.java][isValidSession][Found SESSION cookie: SMSESSION]

[05/17/2016][08:30:07][12418][2661268336][][FWSBase.java][isValidSession][Trying to validate using SMSESSION cookie.]

[05/17/2016][08:30:07][12418][2661268336][][FWSBase.java][isValidSession][Session ID is: /Pz43N5w8p45IpngiB4YrAcN3ec=]

[05/17/2016][08:30:07][12418][2661268336][][FWSBase.java][isValidSession][Session Spec is: Ce784eYnjA [...] ]

[05/17/2016][08:30:07][12418][2661268336][][FWSBase.java][isSessionIdle][Verifying validity of session cookie [SMSESSION] retrieved]

[05/17/2016][08:30:07][12418][2661268336][][FWSBase.java][isSessionIdle][Request doesn't contain session ID header. Session cookie[SMSESSION]is not valid.]

 

Environment

 

Siteminder all versions;

 

Cause

 

The Federation Service finds an existing SMSESSION cookie. It finds the Session ID and Session Spec value from that cookie.

But when it tries to verify the validity of this retrieved session cookie, it complains that there is no "Session ID" *header*.

So, the problem is the lacking of a Session ID header.

As a result, it ignores this session cookie and says "Session cookie [SMSESSION] is not valid" and redirects to the authentication URL.

  1. If your federation agent has disablesessionvars set to yes (no by default) then it will not set the SessionID and SessionSpec headers. If those headers are not found (or too many are found), then the federation agent has to ignore the session leading to this type of error in the FWS trace log.
  2. If "ignoreurl=/affwebservices/public" is set in Agent Configuration Object it will give this type of error in the FWS trace log.

Because of the ignoreurl=/affwebservices/public ACO parameter, the URL that contains /affwebservices/public will not get authorized, hence the required headers will not be set.

So when affwebservices decoded the SMSESSION it was fine, but later when it relied on headers set from normal CA Access Gateway (SPS) / Web Agent it would not find them, due to this Federation Service will fail to validate the session and redirecting back to Authentication URL.

 

Resolution

 

  • Set DisableSessionVars = no (default value) in Agent configuration object (ACO);
  • Remove /affwebservices/public from ignoreurl ACO parameter if set;