Description

We have two separate infrastructures, one our Siteminder pre-production infrastructure and the second one is our production environment.

We have found that the SMsession cookie generated by pre-production can be used in our production environment and vice versa.

Is there any reason why SMsession cookie from separate siteminder policy servers can be validated? This poses vulnerability since the application is external facing.

Solution

SSO between both environments is possible because SiteMinder Policy Server is able to decrypt the smsession cookie.

SiteMinder Web Agents use agent keys to encrypt and decrypt the cookies issued by SiteMinder Policy Server. Therefore, this suggests that both environments have the same set of agent keys.

Please note that Policy Server supports two types of Agent keys:

1. Dynamic Keys:
   
   A dynamic key is generated by a Policy Server algorithm and distributed to connected Web Agents. There are 3 types of dynamic keys that are utilized by the SiteMinder Policy Server: (a) old key, (b) current key and (c) future key.
   
   
2. Static Keys:
   
   A static key remains the same indefinitely, and can be generated by a Policy Server algorithm or entered manually. The following SiteMinder features and situations make use of the static key: Saving User Credentials for HTML Forms Authentication, User Tracking and Single Sign-on Across Multiple Key Stores.

To fix this problem both environments have to have different agent keys, You can rollover agent keys in the Admin UI under Tools -> Manage Keys, then restart your web agents and be sure that the SM web agents pick up their unique new keys.