Symantec Access Management

Expand all | Collapse all

CA SSO ActiveResponse Cookie with Client IP

Jump to Best Answer
  • 1.  CA SSO ActiveResponse Cookie with Client IP

    Posted 07-14-2017 07:37 AM



    I am new to CA SSO. I am trying to leverage CA SSO's ActiveResponse (WebAgent-HTTP-Cookie-Variable) with my custom code to retrieve the origination client ip address (user browser IP address) and return it to be set as a custom cookie name of my choice. I am leveraging the ActiveResponseSample that is part of the SDK.


    The ActiveResponseSample (from SDK)  is using the SMAPI and JAVAAZAPI. Can you please guide me whether this is possible with active response, and if yes which CA API should I use to retrieve the origination client ip address to be returned for setting a HTTP Cookie. A simple code snippet will help me


    Thanks in advance !



  • 2.  Re: CA SSO ActiveResponse Cookie with Client IP

    Posted 08-02-2017 10:07 PM

    Hi Prasee,


    You may not need Active Response to get this done.


    Few questions :


    • Are you going to have a Load Balancer or Proxy between client (browser) and web server ? 
    • Are you going to enable either PersistentIPCheck or TransientIPCheck settings ?


    If either PersistentIPCheck or TransientIPCheck is enabled, then the client IP is stored in the default header HTTP_SM_CLIENT_IP which you could use.


    If there is no proxy or LB between client and web server, then the browser IP is also stored in the default header HTTP_REMOTE_ADDR which you may use. But this may not be useful , if you have either proxy/LB is there in between.






  • 3.  Re: CA SSO ActiveResponse Cookie with Client IP

    Posted 08-03-2017 03:15 AM

    Hello Ujwol,


    Thanks for the response. I can try and brief the description of my requirement.


    Basically we are trying to establish a co-existence and seamless SSO between the new CA SSO and our legacy WAM infrastructure (as part of migration). Our legacy WAM product offers API for AuthN and Token Generation. So the approach we decided is as below

    1) Use the Active Response and "OnAuthAccept" event in CA to invoke an API call (using custom JAR) and get the legacy WAM Session Token.

    2) Using the legacy WAM API to update the token recieved with the orgination client IP address.

    3) Set the updated token (encoded) as browser cookie (with legacy WAM session cookie name)

    4) Allow seamless SSO between CA and legacy WAM


    I am able to conceptually accomplish this. But i am stuck in two issues currently. They are:


    1) Step 2 where i will need the origination client IP address (that is actually available in X-Forward-For header) in my custom active response code to update the token. Since i am unable to get this from the ActiveResponse API objects, i hard-coded my IP in my code and getting this working seamlessly.


    2) If i clear my browser data and retry with a new request, my activeresponse class is not getting invoked. But if i restart the policy server, it gets executed. So for testing this approach every time, i am restarting the policy server and verifying.


    Can you help me on the two issues above ?

  • 4.  Re: CA SSO ActiveResponse Cookie with Client IP

    Posted 08-03-2017 09:30 PM

    Hi Prasee,


    The second one is easy .

    By default , active response is cached, so next time it is needed it would get the cached value.

    You can disable this and configure it to evaluate every time as below:



    The first one is tricky. There isn't any existing API to retrieve the clientIP of the current session in Active Response.

    Still researching on this ..




  • 5.  Re: CA SSO ActiveResponse Cookie with Client IP

    Posted 08-04-2017 04:19 AM

    Hello Ujwol,


    Thanks again for your response.


    For the second one, i tried using your recommendation but it is not helping me. Even after setting that configuration and doing a server restart, my custom activeresponse class file doesnt seem to be invoked. It gets invoked only once and that is for the first attempt after i do PS server restart. Below is the configuration of my active response for a application onboarded (under applications. And not under domain). Can you help ?



    For the client ip, is there any other way to get the origination client IP to my code ?


    And to go back, is my planned approach correct ? Or should i consider a different approach for accomplishing the co-existence with my legacy WAM ? Do you recommend any other alternatives ?

  • 6.  Re: CA SSO ActiveResponse Cookie with Client IP
    Best Answer

    Posted 08-06-2017 10:44 PM

    Hi Prasee, 


    The logic looks right.


    I just created a blog for your use case, please give this a try and let me know :

    Tech Tip : CA Single Sign-On :Policy Server:How to access CA SSO generated response attributes in ActiveResponse 


    For the active response not executing second time , have you checked if the web agent is even making request to Policys server or just serving it from local cache ?

    Or it could also be cached from browser ?


    From my testing, the active response did trigger everytime.




  • 7.  Re: CA SSO ActiveResponse Cookie with Client IP

    Posted 08-07-2017 07:53 AM

    Hello Ujwol,


    Thanks a ton ! The Client IP works like a charm.


    Regarding the active response not getting invoked second time, along with the existing activeresponse cookie, i created another static cookie (like Example=Test) and i am able to see that this example static cookie is getting set every time I clear my browser session and retry. However, my custom class is alone not getting invoked. This is looking strange.