Symantec Access Management

Currently, for one of our Secured URLs we are sending a 'Response' to the backend application.

It is a cookie variable which is being passed here.

Attribute : WebAgent-HTTP-Cookie-Variable

Attribute Kind : User Attribute

Value : Text

This Reponse passes the value called 'Password Expiration Time' for every user in the form of a cookie.

At the backend application, there is some compatibility while reading this expiration value.

But this issue is specific to a value such as, e.g. "99991231235959Z".

Goal: So what we want is that when this 'Response' is triggered, it should look into the value "99991231235959Z", if found, remove the cookie from SiteMinder Response.

Otherwise, send it on as usual.

Can this be achieved?

Anyone able to assist with this question?

Thank you

kumar.anurag

I may be wrong, however I don't think it is possible due to fact the way the product is designed.

Let me try to explain and see if this makes sense, please feel free to override my comments, if there is a way to do it in OOB product.

• The only cookies that the product actively monitors from Client perspective are what the product supports for SSO and Session Validation e.g.
  • SMSession (HTTPPluggin) or ZoneCookies.
  • SPSession (SPPluggin).
  • Foreign Cookie (SessionLinker). The SessionLinker can BLOT a Cookie Value for Orphan Cookies. I don't think the SessionLinker can BLOT a individual Cookie based on a Cookie Value.
    • All the above is done at WebAgent side. The WebAgent does not read any other Cookies even if it under the same Web Domain. Nor as of date I know of any configuration on WebAgent to read any other CookieName/CookieValue in addition to the OOB Cookies that the WebAgent reads. This is as per design.
    • You'd need an Enhancement request if you need this inbuilt into the Product.
  • Policy Server is out of the equation as it does not have access to Cookies. Hence I would not spend time trying to explain.

Having said this you could perhaps customized the solution a bit. Let SiteMinder fire the response and set the Cookie Header. You can certain write a small piece of code to check the Cookie Value and reset the Cookie Value if it matches "99991231235959Z". SiteMinder is not going to prevent the application code from rewriting the Cookie. Let know if this helps.

Regards

Hubert

Hi Anurag,

What you could also do here is, instead of using attribute of type "User Attribute", use "Active Response".

With Active Response , you have more flexibility in terms of what you can return.

So inside your Active Response (a custom java class ) , you can have a logic to return a special value (let's say -1) if the computed value is equal to "99991231235959Z".

This will not prevent SiteMinder from generating the cookie , but it will provide a way to return a special value which your application should be able to handle.

Hope this helps.

Cheers,

Ujwol

This is good Ujwol - my head wasn't thinking about this route.

Piggybacking on Ujwols recommendation. A slightly different variant would be to use SMWALKER and try to achieve the same capability of a custom Java Class i.e. if one would like to avoid writing a Java Class and use a CA shipped addon to SiteMinder.

Regards

Hubert

HubertDennis Ujwol

Thank you for your help!

i will try what you suggested.

Hope it helps.

Best Regards,

Anurag