Symantec Access Management

 View Only

Tech Tip : CA Single Sign-On : WAOP and SSOZoneName: Loop with expired session

  • 1.  Tech Tip : CA Single Sign-On : WAOP and SSOZoneName: Loop with expired session

    Broadcom Employee
    Posted May 08, 2019 08:20 AM

    Issue:
    We're running IdP and SP on different machines but with the same
    Domain Name. We segregate the cookies using SSOZoneName ACO
    parameter. Once the SP session terminates, both IDP SMSESSION and SP
    MY_SESSION cookies gets the value of LOGGEDOFF. The SP MY_SESSION
    cookie gets removed from the browser. But the SMSESSION cookie
    doesn't.

    As the SMSESSION cookie reaches the IDP Web Agent Option Pack, the
    transaction fails and the IDP Web Agent Option Pack reports not to be
    able to decode the SMSESSION cookie.

    [04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
    3e7b55c0-64f7c1f9-b6b][FWSBase.java][getSessionData][(request
    cookie array) cookie value: LOGGEDOFF]

    [04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
    3e7b55c0-64f7c1f9-b6b][FWSBase.java][getSessionData][evaluate
    trusted zone: SM]

    [04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
    3e7b55c0-64f7c1f9-b6b][FWSBase.java][getSessionData][found:
    SMSESSION]

    [04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
    3e7b55c0-64f7c1f9-b6b][FWSBase.java][isValidSession][Trying
    to validate using SMSESSION cookie.]

    [04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
    3e7b55c0-64f7c1f9-b6b][FWSBase.java][isValidSession][Could
    not decryptSMSESSION cookie. Error message: Tried out all the decrypt
    keys, decryption failed..]

    How can we fix that ?
    Cause:
    The problem is that the SMSESSION=LOGGEDOFF cookie reaches the Web
    Agent Option Pack at IDP side and that there's no Web Agent to handle
    this SMSESSION=LOGGEDOFF and to remove it from the browser. The Web
    Agent only handle the MY_ cookie. It's configured with
    SSOZoneName=MY_. More, out of the box, the Web Agent Option Pack
    doesn't remove any cookies from the browser. The aftermath is that the
    SMSESSION=LOGGEDOFF arrives to the IDP Web Agent Option Pack and this
    one cannot handle the value LOGGEDOFF.

    The IDP Web Agent Option Pack is configured to trust SM and MY_
    cookies :

    affwebserv.log

    [246584/148340][Thu Apr 04 2019
    16:53:35][FWSAgentConfig.java][INFO][sm-FedClient-00190] SSOZoneName
    not specified. Using default: SM

    [246584/148340][Thu Apr 04 2019
    16:53:35][FWSAgentConfig.java][INFO][sm-FedClient-00200]
    SSOTrustedZone specified as: [SM, MY_]

    but its Web Agent is configured to handle only MY_ cookie :

    siteminder_ltintra302.log.1

    [47970/3387586304][Thu Apr 04 2019 17:34:23] ssozonename='MY_'.

    The Web Agent on the SP Side is configured to handle the same cookie
    as per IDP :

    The SP :

    siteminder_ltintra305.log.1

    [111815/4064990976][Thu Apr 04 2019 18:56:28] ssozonename='MY_'.

    The MY_SESSION is expired, get logged out, and removed from the
    browser by the Web Agent :

    smtrace_ltintra302.log.1

    [04/05/2019][14:30:03][28807][578766592][CSmHttpPlugin.cpp:6768]
    [CSmHttpPlugin::ProcessSessionCookie][00000000000000000000000046
    ad2ea0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent]
    [/affwebservices/public/saml2sso?SPID=mysp][][MY_SESSION
    cookie has expired and will not be used to authenticate.]

    [04/05/2019][14:30:03][28807][578766592][CSmHttpPlugin.cpp:2228]
    [CSmHttpPlugin::EstablishSession][00000000000000000000000046ad2e
    a0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent]
    [/affwebservices/public/saml2sso?SPID=mysp][Unable to process
    MY_SESSION cookie.]

    [04/05/2019][14:30:03][28807][578766592][CSmHttpPlugin.cpp:2322]
    [CSmHttpPlugin::EstablishSession][00000000000000000000000046ad2e
    a0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent]
    [/affwebservices/public/saml2sso?SPID=mysp
    [Executing expired cookie redirect.]

    [04/05/2019][14:30:03][28807][578766592][CSmSessionManager.cpp:1
    26][CSmSessionManager::EstablishSession][00000000000000000000000
    046ad2ea0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1]
    [myagent][/affwebservices/public/saml2sso?SPID=mysp]
    [SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]

    [04/05/2019][14:30:03][28807][578766592][CSmLowLevelAgent.cpp:34
    02][LogoutSession][00000000000000000000000046ad2ea0-7087-5ca74a4
    b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent]
    [/affwebservices/public/saml2sso?SPID=mysp]
    [Calling LogoutSession for session '+9HDjvKRwdasdasdC4hsC4+4d4='.]

    [04/05/2019][14:30:03][28807][578766592][CSmLowLevelAgent.cpp:44
    95][LogoutSession][][][][][][][Session logged out.]

    [04/05/2019][14:30:03][28807][578766592][SmPluginUtilities.cpp:1
    66][DeleteCookie][00000000000000000000000046ad2ea0-7087-5ca74a4b
    -227f4700-600a7e0a2f8c][*10.0.0.1][][myagent]
    [/auth/?SPID=mysp&SMPORTALURL=https%3A%2F%2Fmyotherwebagent.domai
    n.com%2Faffwebservices%2Fpublic%2Fsaml2sso%3FSPID%3Dmysp%2Faffweb
    services%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONID=12fa375e-12fcb6cd-
    59b4b47b-9020fbcf-3630f2e0-eec][][Deleted cookie 'MY_SESSION'.]

    but as the Web Agent is configured to handle the MY_ session cookie,
    then the SMSESSION cookie never gets removed from the browser. The IDP
    Web Agent Option Pack then is unable to decode the SMSESSION value and
    the transaction fails. User doesn't get redirected to the login page.

    If you replay the issue, and at time you get the problem, you go in
    the memory of the browser and you remove the SMSESSION=LOGGEDOFF
    cookie, then you will be in the flow again.

    Resolution:
    Use 2 different Web Agents having different ACO's and different
    SSOZoneName values to solve the issue.

    You might also customize the Apache Server to remove the SMSESSION=LOGGEDOFF
    cookie from the browser.

    KB : KB000131888