Blog Viewer

Tech Tip - CA Single Sign-On:Web Agent:: Introduction to SMUSRMSG cookie

By Ujwol posted 04-02-2017 10:58 PM

  

Question

In this blog we will clarify following questions about SMUSRMSG cookie:

  • What is SMUSRMSG Cookie?
  • What are the different scenarios under which this cookie is created ?
  • Is it recommended to configure custom cookie response to create this cookie ?
  • Can someone steal this cookie and decrypt it ?
  • When is this cookie deleted?

Environment

  • Policy Server : R12.52 SP1 and above
  • Web Agent : ANY

Answer

 

  • What is SMUSRMSG Cookie?

SMUSRMSG cookie is an encrypted cookie which is used to communicate error messages to the end user. This cookie is created automatically by web agent under few scenarios.

  • What are the different scenarios under which this cookie is created ?

This cookie is created automatically by web agent under following scenarios :

 

While using custom authentication scheme (e.g. java) , if a custom error text is set by callingsetUserText() API.

More details here : https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2016/10/05/tech-tip-ca-single-sign-on-policy-serverhow-to-set-custom-error-message-using-custom-authentication-scheme

 

When using basic password policies (BPS) if :

  • User Password is expired. The cookie contains reason indicating why cookie expired.
  • During Force Password change flow when the new password doesn't meet the password complexity requirement. The cookie contains reason that explains why the new password failed to be set against the password policy.
  • Is it recommended to configure custom cookie response to create this cookie ?

It is NOT recommended to manually set this cookie by configuring response cookie during authentication/authorization event as this is a propriety cookie used by web agent exclusively. Setting this manually may have unexpected consequences.

  • Can someone steal this cookie and decrypt it ?

Except for the custom authentication use case, SMUSRMSG cookie is always encrypted using agent keys. So , even if someone steal this cookie, they won’t be able to decrypt it.

  • When is this cookie deleted?

In native mode, the Agent deletes the cookie after a successful login, while redirecting back to the target URL.

In 4.x compatibility mode, the Agent deletes the cookie after generating the FORMCRED cookie, while redirecting back to the target URL.

Testing:

When new password doesn't meet the password complexity

 

 

1 comment
1 view