Symantec Access Management

  • Private Community
 View Only

  • 1.  SMSAMLDATA is encrypted in HTTP_HEADER redirect mode but need plain headers

    Posted May 10, 2017 04:04 AM

    Hi team,

    I have an partnership built between 2 siteminder environment. The IDP end sends assertion attribute along for the user (mobile,givenName).

    My SP end sends the attributes to the target application via HTTP_HEADER mode.

    Here, the data is recieved in SMSAMLDATA cookie value and encrypted. I am not being able to get the datas in plain text and in header list.

     

     

    I do need the data in plain text in header for the application to process it. I do not want to use "cookie data" mode which actually sends the data plain text.

    Is there any ACO parameter or any other SPS setting causing it to get encrypted or is it normal behavior?

     

    Please help.

     

    Thanks,

    Debasish Sarkar.



  • 2.  Re: SMSAMLDATA is encrypted in HTTP_HEADER redirect mode but need plain headers
    Best Answer

    Posted May 10, 2017 06:55 AM

    Hi Debasish,

     

    Yes, SMSAMLDATA cookie will be encrypted which is expected and apart from that you will find the assertion attributes as header variables.

     

    If you select HTTP Headers as the redirect mode, CA Single Sign-On can deliver multiple attribute values in a single header. Separate each attribute value with a comma. This option is only for SAML 1.1 and 2.0.

     

    Assertion data can be passed using HTTP headers.

    Follow these steps:

    1. Verify that the CA Single Sign-On web agent is installed on the relying party system that is handling federation traffic.
    2. Navigate to web_agent_home/conf and modify the WebAgent.conf file. Uncomment the following entry so it appears as follows:
      • Windows
      LoadPlugin="path\SAMLDataPlugin.dll"
      • UNIX
      LoadPlugin="path/SAMLDataPlugin.so"
    3. (Optional but recommended) Add the setting fedheaderprefix setting to the appropriate Agent Configuration Object for the web agent. Enter any string as a prefix.
      The fedheaderprefix setting specifies a global prefix that CA Single Sign-On adds to HTTP headers. Setting a prefix protects HTTP headers against manipulation by an unauthorized user before the CA Single Sign-On consumes an assertion. As a result, only legitimate headers get passed to the target application. Read more about protecting HTTP headers.
    4. Do one of the following tasks in the Application Integration step of the partnership wizard:
      • Select HTTP Headers as the Redirect Mode for the target application.
      • Select HTTP Headers as the Delivery Option for user provisioning.

    HTTP headers are now configured to pass attribute data.

    refer for more details.

    Pass Assertion Data as HTTP Headers to Relying Party Applications - CA Single Sign-On - 12.6.01 - CA Technologies Docume… 

     

    Thanks,

    Sharan 



  • 3.  Re: SMSAMLDATA is encrypted in HTTP_HEADER redirect mode but need plain headers

    Posted May 10, 2017 07:26 AM

    Hi Sharana, 

    Thanks for the reply. I did happen to forget to enable the SAMLdata plugin, for which the headers were not getting populated.

     

    Thanks,

    Debasish.



  • 4.  Re: SMSAMLDATA is encrypted in HTTP_HEADER redirect mode but need plain headers

    Posted May 10, 2017 07:33 AM

    If I’ve answered your question please mark my response as the Correct Answer

     

    Thanks,

    Sharan