We are planning to implement CORS in Siteminder, in the process of doing so, we are not able to pass the CORS Cookie even if Credentials is set to Include. After some research, we found out that there is a way to achieve this, by setting the cookie we intend to pass on in our case SM Session Cookie to SameSiteMode.None. Is this possible in Siteminder ? Please do let us know if there is an alternative to this method in passing the SM Session Cookie.
I believe you have determined the right solution.
CA SSO handles multi-domain sso by passing the SMSESSION value as a query parameter or as a GUID on redirects from the Cookie Provider so they can be set in the origin Agent's domain. CORS implementations tend to be restrictive about requests and passing cookies across domains without specific settings. CA SSO relies heavily on redirects and cookies so adding CORS to the environments can be challenging.
If you use a header trace and look at the various cookies with CORS enabled, you can see the SameSite value as either Strict, Lax, or blank. This can help with troubleshooting as you can them compare the cookie domain and it's SameSite value against what you have configured to see why some cookies are passed and others are not. Strict being the most restrictive, Lax will allow top level requests, and None leaves the SameSite value blank.
Also note that if you set your MinimumSameSitePolicy to anything other than None, setting individual cookies to None will no longer work as they will be set to whatever Minimum was configured.
Hope this helps!
Thanks a lot, David for your reply. I have a few questions:
1. For SM Session cookie, where do we set the SameSite Value, is this an ACO setting or somewhere else.
2. Can you please do correct me if I am wrong, the Minimum Same Sie Policy is a setting of the browser?
No these aren't CA SSO settings.
First CORS needs to be enabled at the WebServer, IIS seems to be the most common. Then if you are using ASP.NET your application needs to be modified for these settings.I won't really be able to supply any more details than that as it tends to be all custom for each customer's application. We do see Support tickets come in related to CORS, but generally they are resolved outside of CA SSO. Typically CORS is enabled and SSO breaks, once this is identified as the root cause, the app teams can make tweaks to the configuration to work around it. This can be actual CORS settings or using ACOs like WebAppClientResponse or OverlookSessionforMethods for example.
CA Services might be able to assist with this implementation if necessary.
For .fcc pages in IIS there is a problem adding CORS and HSTS headers.
In Access Gateway - there is workaround - but also Idea so that Access Gateway agent handles them as part of SSO product :
Access Gateway should include support for SameSite cookie attribute
Generally global rule is added to IIS or Apache to add the headers but for SSO .fcc pages in IIS there is a problem that ASP.NET does not run on pages handled by native code module - so it does not add these headers to .fcc pages.
Here is the Idea to fix agent to handle these headers for .fcc pages :
Ability to add HSTS and CORS headers to .fcc pages
But for the rest of the content, protected by SSO, and served by the webserver or backend the headers will be present.
Cheers - Mark
Thanks a lot Mark.