Create cookies under different SSO Zones in Custom SDK Agent
search cancel

Create cookies under different SSO Zones in Custom SDK Agent

book

Article ID: 51424

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

How can we configure the AgentAPI to feed it SSOZoneName="Z1" so that it can be used to create a valid Z1SESSION cookie?

Can SDK be used to create cookies under different SSO Zones? How can we configure the AgentAPI to feed it SSOZoneName="Z1" so that it can be used to create a valid Z1SESSION cookie?

According to the documentation, the createSSOToken function just returns an encrypted b64 blob, it doesn't specify a cookie name, or even that it's stored in a cookie for that matter.

In the custom code module where the createSSOToken is called, there should be something that sets the cookie name, and also retrieves it when decoding it. It is probably a const variable in the code.

Can the SDK code be used to create a parameter that allows the cookie used to be variable so the zone name it picks up can be changed at runtime?

 

Environment

 

SDK all versions

 

Resolution

 

Overview

The Agent API sample JavaTestClient.java interacts with the Policy Server API, but it does not show the interaction needed to process the HTTP request, extract and set cookie values. As such the API createSSOToken function returns an encrypted b64 blob, it does not specify any HTTP-specific attributes such as a cookie name.

However, when embedding the AgentAPI calls into an Application Server, have it set and get SiteMinder session cookies from the client (and that is the most common usage of the API) then the interface between the App server and the Siteminder API should be coded.

In the custom code module where the createSSOToken is called, some code should set the cookie name, and also retrieve it when decoding it, whatever cookie name is expected to be used. By using the name "SMSESSION" as the cookie, the cookie will be able to interact with the normal Siteminder sites. A cookie name can easily be used as "Z1SESSION" and it will interact with the Siteminder zone "Z1".


Notes

  1. Wanting the new session cookies to be accepted by normal Web Agents, those Web Agents will have to have the following Agent Configuration Object entry set:

    AcceptTPCookies = YES
     
  2. In general, with SiteMinder Zones, be careful about creating too many zones, each cookie is fairly large, about 4k, and the HTTP headers are, by design, limited to about 8K, exceeding this can have unintended consequences such as the Web Server receiving only some of the client cookies.

Sample Code Segments

The Siteminder SM SDK package does not provide a sample interacting with the App server, and there is no plan to include one.

But the calls will be standard calls to the javax.servlet. packages along the lines of the following pseudo-code. It assumes that you already have the other code in place from the sample JavaTestClient.java.

To set a zone session token:

The following pseudo-code template shows how to take the ssoToken and store it in a user cookie for the user.

  public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
  {
    [...]
    retcode = agentapi.createSSOToken(sessionDef, ssoAttrs, ssoToken);
    if (retcode != AgentAPI.SUCCESS)
      { throw RuntimeExcpetion("Failure creating SSO Token");
      }
    String zoneName = "Z1";
    Cookie smcookie = new Cookie(zoneName + "SESSION", ssoToken.toString());
    smcookie.setDomain(".transpolar.com");
    response.addCookie(smcookie);
    [...]
  }

Note:

  The smcookie.setDomain(..) is needed if the website is http://www.transpolar.com although in some special circumstances, such as when the website is http://transpolar.com you will need to leave the setDomain this out - check the cookie programming guide for why.

To retrieve a zone session token:

The following pseudo-code template shows how to retrieve a zone cookie and pass it into the SiteMinder decode function.

  public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
  {
    String zoneName = "Z1";
    String sessionCookieName = zoneName + "SESSION";
    String sessionId = null;
    Cookie[] cookies = request.getCookies();
    if (cookies != null)
      for (Cookie ck : cookies)
 {
   if (sessionCookieName.equals(ck.getName()))
     {
       String sessionId = ck.getValue();
       break;
     }
 }
  }
  [...]
  retcode = agentapi.decodeSSOToken(sessionId, tokendesc, ssoRespAttrs, updateToken, updatedSSOToken);   

Note:

The reason for the loop in general cookie handling is that it can receive multiple cookies that have the same name. However, for SiteMinder it will expect only one.

Debugging Tip

A good debugging aid when trying to diagnose these sorts of interaction problems is to have a trace program that records the data and cookies as processed by the client side. If Firefox is in use, the Tamper Data module is excellent, as well as HTTP Watch or Fiddler. There are also various other utilities available that do the same monitoring.

They will show the user's side showing the problem would be good to help understand what is going on as well.

 

Powered by Wolken Software