We have a requirement to send the siteminder user session ID to the application for some logic. Is it secure from security perspective to send the siteminder user session ID to the application via siteminder header response.
Any help will be greatly appreciated.
If it's in your domain and participating in SSO, wouldn't it already have the session ID (and encrypted cookie value)? It's also one of the default headers available to Web Agents (if not disabled in the ACO):
Indicates a unique string that identifies a user session.
Sessions are important to protect, but so long as its sent securely in a header and the application handles it all safely not sure why it'd be a problem.