We want to use the SDK to create cookies under different SSO Zones. How can we configure the AgentAPI to feed it SSOZoneName="Z1" so that it can be used to create a valid Z1SESSION cookie?

book

Article ID: 51424

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction


We want to use the SDK to create cookies under different SSO

Zones. How can we configure the AgentAPI to feed it SSOZoneName="Z1"
so that it can be used to create a valid Z1SESSION cookie ?

Reading the documentation, we noticed that the createSSOToken function
just returns an encrypted b64 blob, it does not specify a cookie name,
or even that we store it in a cookie for that matter.

In the custom code module where we call the createSSOToken we must
have something that sets the cookie name, and also retrieves it when
decoding it. It is probably a const variable in our code, so
hopefully we should be able to change that however we like,
including creating a parameter that allows the cookie used be variable
so the zone name it pick up can be changed at runtime.

Environment


SDK all versions

Resolution


Overview


The Agent API sample JavaTestClient.java just interacts with the
Policy Server API, it does not show the interaction needed to process
the HTTP request, extract and set cookie values. As such the API
createSSOToken function just returns an encrypted b64 blob, it does
not specify any HTTP specific attributes such as a cookie name.

However, if your intent is to embed the AgentAPI calls into an
Application Server, and have it set and get Siteminder session cookies
from the client (and that is the most common usage of the API) then
you need to code the interface between the App server and the
Siteminder API.

In the custom code module where you call the createSSOToken you must
have something that sets the cookie name, and also retrieves it when
decoding it, you can use whatever cookie name you wish to use. By
using the name "SMSESSION" as the cookie you will interact with the
normal Siteminder sites, but you can just as easily use "Z1SESSION"
and you will interact with the Siteminder zone "Z1".

Notes

  1: If you want your new session cookies accepted by normal web
  agents those web agents will have to have the following Agent
  Configuration Object entry set:

    AcceptTPCookies = YES

  2: In general with Siteminder Zones, you also want to be careful
  about creating too many zones, each cookie is fairly large, about 4k,
  and the HTTP headers are, by design, limited to about 8K, exceeding
  this can have unintended consequences such as the webserver receiving
  only some of the client cookies.

Sample Code Segments

You wrote:

> So are you saying that it should work? All we have to do is make
  sure we name the cookie properly?

  Yep, that's all there is too it.

You wrote:

> Can you provide a code sample that demonstrates this?

  The Siteminder SM SDK package does not provide an sample interacting
  with the App server, and there is not plan to include one.

But the calls will be standard calls to the javax.servlet. packages
along the lines of the following pseudo code. It assumes that you
already have the other code in place from the sample
JavaTestClient.java

To set a zone session token:

The following pseudo code template shows how to take the ssoToken and
store it in a user cookie for the user.

  public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
  {
    [...]
    retcode = agentapi.createSSOToken(sessionDef, ssoAttrs, ssoToken);
    if (retcode != AgentAPI.SUCCESS)
      { throw RuntimeExcpetion("Failure creating SSO Token");
      }
    String zoneName = "Z1";
    Cookie smcookie = new Cookie(zoneName + "SESSION", ssoToken.toString());
    smcookie.setDomain(".transpolar.com");
    response.addCookie(smcookie);
    [...]
  }

Note:

  The smcookie.setDomain(..) is needed of your website is
  http://www.transpolar.com although in some special circumstances, such
  as when your website is http://transpolar.com you will need to leave
  the setDomain this out - check your cookie programming guide for why.

To retrieve a zone session token:

The following pseudo code template shows how to retrieve a zone cookie
and pass it into the siteminder decode function.

  public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
  {
    String zoneName = "Z1";
    String sessionCookieName = zoneName + "SESSION";
    String sessionId = null;
    Cookie[] cookies = request.getCookies();
    if (cookies != null)
      for (Cookie ck : cookies)
 {
   if (sessionCookieName.equals(ck.getName()))
     {
       String sessionId = ck.getValue();
       break;
     }
 }
  }
  [...]
  retcode = agentapi.decodeSSOToken(sessionId, tokendesc, ssoRespAttrs, updateToken, updatedSSOToken);   

Note:

  The reason for the loop in general cookie handling is that we can
  receive multiple cookies that have the same name. However for
  SiteMinder it will expect only one.

Debugging Tip

A good debugging aid when trying to diagnose these sort of interaction
problems is to have a trace program that records the data and cookies
as processed by the client side. If you are using Firefox, the
Tamperdata module is excellent, and if you are using Internet Explorer
the Http Watch program is also useful. There are also various other
utilities available that do the same monitoring.

They will show the users side showing the problem would be good to
help understand what is going on as well.