search cancel

Questions about session tokens SMSESSION and SMIDENTITY

book

Article ID: 54112

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

- What are the SMSESSION, and the SMIDENTITY ?

- Which component provides the SM session and SM identity for the
  browser, SiteMinder agent, Policy server or something else ?

- What information does the SMSESSION and SMIDENTITY contain ?

- Is SMSESSION a Cookie, or a SESSION and why is the value of SMESSION
  just is a SESSION ID ?

 

Resolution

 

SMSESSION and SMIDENTITY are cookies created in the default security
zone ("SM"). These cookies contain similar information.

The SiteMinder session cookie (SMSESSION) contains a set of
information including the user's SiteMinder session ID, their
SiteMinder session ticket, and timeouts.

The SiteMinder identity (SMIDENTITY) cookie is similar, but is only
used for anonymous access to resources. The identity cookie contains a
unique identifier for users who have not yet logged in, and is
replaced with an identity cookie containing information specific to
the user once they have logged into a protected resource. The identity
cookie is affected by the user tracking feature of the Policy
Server. Consult the documentation for more information on this
feature.

SiteMinder Web Agent or Custom Agent sends the request to the
webserver, the web server will send the set-cookie to the client
browser.

Further details beyond this info suggest reviewing the API guides.

SMSESSION

- Sm_AgentApi_DecodeSSOToken()

  Decodes a single sign-on token and returns a subset of its attributes.

  Attribute list:

  SM_AGENTAPI_ATTR_USERDN
  SM_AGENTAPI_ATTR_SESSIONSPEC
  SM_AGENTAPI_ATTR_SESSIONID
  SM_AGENTAPI_ATTR_USERNAME
  SM_AGENTAPI_ATTR_CLIENTIP
  SM_AGENTAPI_ATTR_DEVICENAME
  SM_AGENTAPI_ATTR_IDLESESSIONTIMEOUT
  SM_AGENTAPI_ATTR_MAXSESSIONTIMEOUT
  SM_AGENTAPI_ATTR_STARTSESSIONTIME
  SM_AGENTAPI_ATTR_LASTSESSIONTIME

SMIDENTITY

- The user's identity ticket. SiteMinder returns this if the user
  tracking feature has been enabled

  The session cookie contains a session ID, as well as additional
  information. The actual value of the cookie is opaque and cannot be
  used to determine state directly. Agents will decode the cookie upon
  receipt and will set headers with pertinent information (such as the
  user's session ID, the session ticket, and the user's identity). See
  the Web Agent documentation for more information.