Symantec Access Management

We recently made some numerous experimental ACO configuration changes for the Federation Services Domain ACO to test inbound SAML SSO authentication and now noticing that the web agent for the federation services domain will now only create SMSESSION cookie for the primary domain.

The Apache web server for the Federation Services has three domains:

domain 1= abc.com

domain 2 = def.com

domain 3 = xyz.com

Users POST SAML assertion to: https://fedsvc.abc.com/affwebservices/saml2/consumerservices  after successful SAML authentication, the web agent creates the SMSESSION cookie for .abc.com domain, but now when the users POST SAML assertion to:  https://fedsvc.xyz.com/affwebservices/saml2/consumerservices then after successful SAML authentication, instead of creating the .xyz.com SMSESSION cookie, it still create the .abc.com domain cookie.

I tried playing around with the "CookieDomain" ACO parameters but this did not seem to make any difference.

Much appreciate your help as always!

Duc dmt953

A SMSESSION can be created by WA and WAOP.

In a federated flow, there are scenarios e.g. POST SAML Assertion to ACS URL (CA SSO is SP); wherein the SMSESSION is created ONLY by WAOP (not by WA).

Hence the ACO used by WAOP comes into play. ACO used by WA (and neither WA) does NOT a play a role when WAOP is generating a SMSESSION.

I'd recommend checking the ACO Parameter for WAOP VS ACO Parameter for WA.

My haunch is the ACO for WAOP is tied to .abc.com domain.

Hi Hubert,

That is correct, the ACO involved in this SAML authentication scheme is the WAOP ACO and I had tried changing many parameters related to cookie domain.  What's strange is that this used to work until recently.  Previously our SAML IDP partners could post there SAML assertion to either of the three domains, which all resolves to the same Apache web server with the WAOP and the appropriate SMSESSION cookie domain would be created based on which domain that the IDP posted to. 

Recently we had some application DNS changes with the sub-domain (changing from http://app.com to http://www.app.com) this change caused some cookie domain issues for these apps as they try to invoke the SAML outbound SSO and getting rejected by WAOP due to cookie domain scope so we played around with the ACO cookie domain parameters of the WAOP ACO which eventually resolve this issue but now the "inbound" SAML authentication seems like it is only tied to one specific cookie domain for the WAOP ACO.

Below is the ACO parameters for the WAOP.  The ".regence.com" domain is the only SMSESSION cookie domain being created by this ACO:

#more agent.log
[9780/4110384016][Sat Jul 14 2018 17:40:59] SiteMinder APACHE 2.2 WebAgent, Version 12.52 QMR01, Update HF-05, Label 2112.
[9780/4110384016][Sat Jul 14 2018 17:40:59] FileVersion: 12.52.0105.2112.
[9780/4110384016][Sat Jul 14 2018 17:40:59]
[9780/4110384016][Sat Jul 14 2018 17:40:59] FIPS 140 Cryptographic Mode is 'non-FIPS (compatibility)'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] ***** Begin Configuration *******************************************
[9780/4110384016][Sat Jul 14 2018 17:40:59] agentconfigobject='vlslcsmf02_aco'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] allowcacheheaders='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] allowlocalconfig='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] badurlchars='//,./,/.,/*,*.,~,\,%00-%1f,%7f-%ff,%25'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] cacheanonymous='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] cccext='.ccc'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] constructfullpwsvcurl='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] cookiedomain='.regence.com'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] cookiedomain='.asuris.com'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] cookiedomain='.bridgespanhealth.com'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] cookiedomainscope='0'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] csschecking='yes'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] decodequerydata='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] defaultagentname='vlslcsmf02'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] disableauthsrcvars='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] disabledotdotrule='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] disablesessionvars='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] disableusernamevars='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] enableauditing='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] enablemonitoring='yes'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] enablewebagent='YES'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] enforcepolicies='yes'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] fcccompatmode='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] fccext='.fcc'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] getportfromheaders='yes'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] hostconfigfile='/usr/pservices/ca/siteminder/webagent/config/SmHost.conf'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] httpsports='20001'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] ignoreext='.class,.gif,.jpg,.jpeg,.png,.fcc,.scc,.sfcc,.ccc,.ntc'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] ignorequerydata='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] legacyvariables='yes'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] loadplugin='/usr/pservices/ca/siteminder/webagent/bin/libHttpPlugin.so'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] logappend='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] logfile='yes'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] logfilename='/usr/pservices/ers/servers/smfss-stg/logs/agent.log'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] logfilesize='100'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] maxresourcecachesize='750'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] maxsessioncachesize='750'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] maxurlsize='4097'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] ntcext='.ntc'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] overrideignoreextfilter=''.
[9780/4110384016][Sat Jul 14 2018 17:40:59] persistentcookies='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] persistentipcheck='yes'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] proxyagent='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] proxytimeout='120'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] proxytrust='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] pspollinterval='30'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] requirecookies='yes'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] resourcecachetimeout='600'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] sccext='.scc'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] serverpath='/usr/pservices/ers/servers/smfss-stg/conf'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] sessiongraceperiod='30'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] sessionupdateperiod='60'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] setremoteuser='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] sfccext='.sfcc'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] ssotrustedzone='PPMOSM'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] targetasrelativeuri='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] traceappend='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] traceconfigfile='/usr/pservices/ca/siteminder/webagent/config/WebAgentTrace.conf'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] tracefile='yes'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] tracefilename='/usr/pservices/ers/servers/smfss-stg/logs/agenttrace.log'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] tracefilesize='100'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] transientidcookies='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] transientipcheck='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] useanonaccess='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] usesecurecookies='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] usesecurecpcookies='no'.
[9780/4110384016][Sat Jul 14 2018 17:40:59]
[9780/4110384016][Sat Jul 14 2018 17:40:59] SiteMinder Agent API Host Configuration:
[9780/4110384016][Sat Jul 14 2018 17:40:59]
[9780/4110384016][Sat Jul 14 2018 17:40:59] enablefailover='NO'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] hostname='vlslcsmf02.regence.com'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] maxsocketsperport='20'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] minsocketsperport='2'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] newsocketstep='2'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] policyserver='vlslccasso02.regence.com,44441,44442,44443'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] policyserver='vlslccasso03.regence.com,44441,44442,44443'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] requesttimeout='60'.
[9780/4110384016][Sat Jul 14 2018 17:40:59] ***** End Configuration *********************************************
[9780/4110384016][Sat Jul 14 2018 17:40:59]
[9780/4110384016][Sat Jul 14 2018 17:40:59][LLAWPLogQ.cpp:661][INFO][sm-AgentFramework-00590] LLAWP: Logging initialized.
[9780/4110384016][Sat Jul 14 2018 17:40:59][LLAWPLogQ.cpp:676][INFO][sm-AgentFramework-00630] LLAWP: Tracing initialized.
[9780/4136671456][Sat Jul 14 2018 17:40:59][LLAWorkerProcess.cpp:1552][INFO][sm-AgentFramework-00680] LLAWP: Initialization complete.
[9780/4087348112][Sat Jul 14 2018 17:40:59][LLAWPMsgBus.cpp:419][INFO][sm-AgentFramework-00660] LLAWP: Message bus initialized.

Duc dmt953

Have we tried the following.

#CookieDomain='regence.com'

#CookieDomain='.asuris.com'

#CookieDomain='.bridgespanhealth.com'

CookieDomainScope=2

Am not sure if CookieDomain can take multi value. I always thought CookieDomain was single value attribute.

Hence the only way to override and accept multiple domains was to use CookieDomainScope.

But never use both, unless the scope (2 dots) matches domain (.regence.com). In your configuration there is a mismatch with scope set as 0, but CookieDomain is multi value plus has two dots.