Symantec Access Management

Hi Members,

I have configured CA SSO as Service provider (SP) and the federation happens well for any URL in the same domain as SP, however, if the target application URL is different, I get below error.

[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][SAML2Base.java][getIdentityProviderInfo][Trying to fetch SAML2.0 IDP Configuration from cache [CHECKPOINT = SSOSAML2_IDPCONFFROMCACHE_REQ]]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][SAML2Base.java][getIdentityProviderInfo][Obtained identity provider information from cache for: http://www.okta.com/exkv1uynizB30pK6L0h7.]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][FWSBase.java][getPartnershipSourceValue][Partnership source value = 3]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Reading the configuration to get the target url [CHECKPOINT = SSOSAML2_READTARGETURL_REQ]]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][targetURL:HTTPS://staging.controls-expert.carrier.com/ usingRelayState: true]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][FWSBase.java][validateTarget][Target: HTTPS://staging.something.xyz.com/ is not in the CookieDomain: .abc.com]

==> affwebserv.log <==
[8159/2934892288][Wed Nov 18 2020 13:33:21][AssertionConsumer.java][ERROR][sm-FedClient-01350] Can not redirect to a target - HTTPS://staging.something.xyz.com/ outside the local Cookie Domain. (, , , )

==> FWSTrace.log <==
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Can not redirect to a target - HTTPS://staging.something.xyz.com/ outside the local Cookie Domain.]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Ending the request processing with the HTTP response code: 400]

==> affwebserv.log <==
[8159/2934892288][Wed Nov 18 2020 13:33:21][AssertionConsumer.java][ERROR][sm-FedClient-02890] Transaction with ID: 2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4 failed. Reason: ACS_TARGET_IN_INVALID_DOMAIN (, , )

==> FWSTrace.log <==
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Transaction with ID: 2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4 failed. Reason: ACS_TARGET_IN_INVALID_DOMAIN]

We are using option pack for federation setup and in the ACO of WAOP, I have set CookieDomainScope to 2 and ValidTargetDomain is set to ".abc.com",".xyz.com".

Please note that there are many URLS in the same domain (.abc.com) as SP which works fine and SSO is achieved as well. I would like to know if there are any specific settings to be tweaked when CA SSO (siteminder) acts as SP in order to set session cookie(SMSESSION) for multi/cross domains.

Environment Details:

Policy server:

Policy server version: CA SSO 12.8 SP3
Policy Server OS     : RHEL 7.8

WebAgent Option Pack:

Product Name=CA SiteMinder Option Pack for Web Agent
FullVersion=12.52.105.2112

Thanks,
Krishna

Hi Krishna,

The ValidTargetDomain ACO parameter does not come into play here.  That parameter is used when the regular Web Agent is redirecting the user to a different target domain.  For federation use cases where the Affwebservices application is redirecting the user, the ValidFedTargetDomain parameter needs to be configured in the ACO.  In addition to listing the desired domains in this parameter, the 'Validate Target URL Domain' checkbox within the partnership needs to be selected.

The default behavior of Affwebservices is to validate that the Target domain matches the domain in which Affwebservices is hosted.  The Validate Target URL Domain checkbox tells Affwebservices to validate the Target domain against the domains listed in the ValidFedTargetDomain parameter.  Please note that the domain in which Affwebservices is hosted is always considered a valid domain and does not need to be listed in the parameter.

If you need to add more than one domain to the ValidFedTargetDomain parameter, be sure to use the Multi-Value entry option in the AdminUI.  Also, do not include a leading dot when adding domains.  For example, enter 'abc.com' not '.abc.com'.

Regards,
Pete

Original Message:
Sent: 11-18-2020 01:50 PM
From: KrishnaKumar Subramaniam
Subject: Session creation issue - Target URL is not in the CookieDomain when Siteminder acts as SP in partnership Federation

Hi Members,

I have configured CA SSO as Service provider (SP) and the federation happens well for any URL in the same domain as SP, however, if the target application URL is different, I get below error.

[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][SAML2Base.java][getIdentityProviderInfo][Trying to fetch SAML2.0 IDP Configuration from cache [CHECKPOINT = SSOSAML2_IDPCONFFROMCACHE_REQ]]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][SAML2Base.java][getIdentityProviderInfo][Obtained identity provider information from cache for: http://www.okta.com/exkv1uynizB30pK6L0h7.]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][FWSBase.java][getPartnershipSourceValue][Partnership source value = 3]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Reading the configuration to get the target url [CHECKPOINT = SSOSAML2_READTARGETURL_REQ]]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][targetURL:HTTPS://staging.controls-expert.carrier.com/ usingRelayState: true]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][FWSBase.java][validateTarget][Target: HTTPS://staging.something.xyz.com/ is not in the CookieDomain: .abc.com]

==> affwebserv.log <==
[8159/2934892288][Wed Nov 18 2020 13:33:21][AssertionConsumer.java][ERROR][sm-FedClient-01350] Can not redirect to a target - HTTPS://staging.something.xyz.com/ outside the local Cookie Domain. (, , , )

==> FWSTrace.log <==
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Can not redirect to a target - HTTPS://staging.something.xyz.com/ outside the local Cookie Domain.]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Ending the request processing with the HTTP response code: 400]

==> affwebserv.log <==
[8159/2934892288][Wed Nov 18 2020 13:33:21][AssertionConsumer.java][ERROR][sm-FedClient-02890] Transaction with ID: 2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4 failed. Reason: ACS_TARGET_IN_INVALID_DOMAIN (, , )

==> FWSTrace.log <==
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Transaction with ID: 2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4 failed. Reason: ACS_TARGET_IN_INVALID_DOMAIN]

We are using option pack for federation setup and in the ACO of WAOP, I have set CookieDomainScope to 2 and ValidTargetDomain is set to ".abc.com",".xyz.com".

Please note that there are many URLS in the same domain (.abc.com) as SP which works fine and SSO is achieved as well. I would like to know if there are any specific settings to be tweaked when CA SSO (siteminder) acts as SP in order to set session cookie(SMSESSION) for multi/cross domains.

Environment Details:

Policy server:

Policy server version: CA SSO 12.8 SP3
Policy Server OS     : RHEL 7.8

WebAgent Option Pack:

Product Name=CA SiteMinder Option Pack for Web Agent
FullVersion=12.52.105.2112

Thanks,
Krishna

Thanks Pete. This helped me go past the error, I was seeing earlier. Now, the SAML POST is honored and a session cookie (SMSESSION) is set in .abc.com and redirects to the ACS target in the relay state. However, when it goes to the actual target application https://staging.something.xyz.com/, it could not set SMSESSION cookie in .xyz.com and it loops between login form and the app URL.

FWSTrace log before redirecting to the app:

[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][processSuccessfulAuthentication][SAMLData NameID: testuser]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][createSessionCookie][Validating input...]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][createSessionCookie][Creating the smsession cookie for SP domain [CHECKPOINT = SSO_SMSESSIONFORSPDOMAIN_REQ]]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][createSessionCookie][Recived valid input. Attempting to create SESSION cookie.]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][createSessionCookie][session id is: DJDaneaGkPpsvh2fgPuJ9iVv4nY=]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][createSessionCookie][About to create SESSION cookie.]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][createSessionCookie][Placing smsession in browser [CHECKPOINT = SSO_PLACESMSSESSIONTOBROWSER_REQ]]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][AssertionConsumer.java][processSAMLResponse][authenticateUser succeded: 0]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][AssertionConsumer.java][processSAMLResponse][Redirecting user to target url [CHECKPOINT = SSOSAML2_REDIRECTUSERTARGETURL_REQ]]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][AssertionConsumer.java][handleUserRedirection][Enter: handleUserRedirection]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][AssertionConsumer.java][redirectUser][redirectMode: 0]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][AssertionConsumer.java][redirectUser][Redirecting the user to HTTPS://staging.something.xyz.com/ using '302 No Data' redirect mode.]

Below is a trace from cookie provider.

[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][][][CSmHighLevelAgent.cpp:322][ProcessRequest][][][][][][][][][][][][][][][Start new request.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][][][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][][][][][][][][][][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]
[11/19/2020][01:38:46.370][2153][3506345728][][][][SmApache24WebFilterCtxt.cpp:1744][CSmApache24WebFilterCtxt::SetP3PCompactPolicy][][][][][][][][][][][][][][][sP3PCompactPolicy: '']
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][][][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][][][][][][][][][][][][][][][Resolved HTTP_HOST: 'staging.cookie.xyz.com'.]
[11/19/2020][01:38:46.370][2153][3506345728][][][][CSmHttpPlugin.cpp:5350][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][][][][][][][][][staging.cookie.xyz.com]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][][][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][][][][][][][][][][][][][][][Resolved hostname: 'staging.cookie.xyz.com'.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][][][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][][][][][][][][][][][][][][][Resolved agentname: 'Az-cookieprovider'.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][][CSmHttpPlugin.cpp:5727][CSmHttpPlugin::ResolveClientIp][][][][][][][][][][][][][][][Resolved Client IP address 'XXXXXXXXXX'.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][][][][][*103.59.135.17][][][][][][][][][][Resolved URL: '/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f'.]
[11/19/2020][01:38:46.370][2153][3506345728][][][][CSmHttpPlugin.cpp:5806][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][][][][][][][][][Auto-authorizing resource, matches IgnoreExt filter.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmHttpPlugin.cpp:698][CSmHttpPlugin::ProcessResource][][][][][*103.59.135.17][][][][][][][][][][Autoauthorizing URL : 'https://staging.cookie.xyz.com/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f' , Method: 'GET' ]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][][][][][*103.59.135.17][][][][][][][][][][Resolved METHOD: 'GET'.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][][][][][*103.59.135.17][][][][][][][][GET][][Resolved cookie domain: '.xyz.com'.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmHttpPlugin.cpp:7756][CSmHttpPlugin::ProcessCookieProviderRequest][][][][][*103.59.135.17][][][][][][][][GET][][Cookie Provider could not find cookie 'STSESSION']
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmHttpPlugin.cpp:8158][CSmHttpPlugin::ProcessCookieProviderRequest][][][][][*103.59.135.17][][][][][][][][GET][][Cookie Provider returning to TARGET 'https://staging.something.xyz.com/?STSESSION=NO'.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][SmPluginUtilities.cpp:482][HandleCredCollectorReturn][][][][][*103.59.135.17][][][][][][][][GET][][POST preservation, handling return from credential collector.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][SmPluginUtilities.cpp:619][HandleCredCollectorReturn][][][][][*103.59.135.17][][][][][][][][GET][][http response https://staging.something.xyz.com/?STSESSION=NO]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmResourceManager.cpp:94][CSmResourceManager::ProcessResource][][][][][*103.59.135.17][][][][][][][][GET][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmExit.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmHighLevelAgent.cpp:349][ProcessRequest][][][][][*103.59.135.17][][][][][][][][GET][][ResourceManager returned SmExit, end new request.]

Cookie provider ACO has UseSecureCookies set to YES while the ACO for WAOP has this parameter value set to NO. Could cookie provider be rejecting cookies from WAOP since its not set to Secure?

Thanks,
Krishna
Original Message:
Sent: 11-18-2020 02:19 PM
From: Peter Burant
Subject: Session creation issue - Target URL is not in the CookieDomain when Siteminder acts as SP in partnership Federation

Hi Krishna,

The ValidTargetDomain ACO parameter does not come into play here.  That parameter is used when the regular Web Agent is redirecting the user to a different target domain.  For federation use cases where the Affwebservices application is redirecting the user, the ValidFedTargetDomain parameter needs to be configured in the ACO.  In addition to listing the desired domains in this parameter, the 'Validate Target URL Domain' checkbox within the partnership needs to be selected.

The default behavior of Affwebservices is to validate that the Target domain matches the domain in which Affwebservices is hosted.  The Validate Target URL Domain checkbox tells Affwebservices to validate the Target domain against the domains listed in the ValidFedTargetDomain parameter.  Please note that the domain in which Affwebservices is hosted is always considered a valid domain and does not need to be listed in the parameter.

If you need to add more than one domain to the ValidFedTargetDomain parameter, be sure to use the Multi-Value entry option in the AdminUI.  Also, do not include a leading dot when adding domains.  For example, enter 'abc.com' not '.abc.com'.

Regards,
Pete

Original Message:
Sent: 11-18-2020 01:50 PM
From: KrishnaKumar Subramaniam
Subject: Session creation issue - Target URL is not in the CookieDomain when Siteminder acts as SP in partnership Federation

Hi Members,

I have configured CA SSO as Service provider (SP) and the federation happens well for any URL in the same domain as SP, however, if the target application URL is different, I get below error.

[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][SAML2Base.java][getIdentityProviderInfo][Trying to fetch SAML2.0 IDP Configuration from cache [CHECKPOINT = SSOSAML2_IDPCONFFROMCACHE_REQ]]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][SAML2Base.java][getIdentityProviderInfo][Obtained identity provider information from cache for: http://www.okta.com/exkv1uynizB30pK6L0h7.]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][FWSBase.java][getPartnershipSourceValue][Partnership source value = 3]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Reading the configuration to get the target url [CHECKPOINT = SSOSAML2_READTARGETURL_REQ]]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][targetURL:HTTPS://staging.controls-expert.carrier.com/ usingRelayState: true]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][FWSBase.java][validateTarget][Target: HTTPS://staging.something.xyz.com/ is not in the CookieDomain: .abc.com]

==> affwebserv.log <==
[8159/2934892288][Wed Nov 18 2020 13:33:21][AssertionConsumer.java][ERROR][sm-FedClient-01350] Can not redirect to a target - HTTPS://staging.something.xyz.com/ outside the local Cookie Domain. (, , , )

==> FWSTrace.log <==
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Can not redirect to a target - HTTPS://staging.something.xyz.com/ outside the local Cookie Domain.]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Ending the request processing with the HTTP response code: 400]

==> affwebserv.log <==
[8159/2934892288][Wed Nov 18 2020 13:33:21][AssertionConsumer.java][ERROR][sm-FedClient-02890] Transaction with ID: 2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4 failed. Reason: ACS_TARGET_IN_INVALID_DOMAIN (, , )

==> FWSTrace.log <==
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Transaction with ID: 2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4 failed. Reason: ACS_TARGET_IN_INVALID_DOMAIN]

We are using option pack for federation setup and in the ACO of WAOP, I have set CookieDomainScope to 2 and ValidTargetDomain is set to ".abc.com",".xyz.com".

Please note that there are many URLS in the same domain (.abc.com) as SP which works fine and SSO is achieved as well. I would like to know if there are any specific settings to be tweaked when CA SSO (siteminder) acts as SP in order to set session cookie(SMSESSION) for multi/cross domains.

Environment Details:

Policy server:

Policy server version: CA SSO 12.8 SP3
Policy Server OS     : RHEL 7.8

WebAgent Option Pack:

Product Name=CA SiteMinder Option Pack for Web Agent
FullVersion=12.52.105.2112

Thanks,
Krishna

When siteminder acts as SP (in a partnership federation) and the Target application from the relay state is behind siteminder protected WA in a different domain, I would like to know how the app login and the SSO with cross domain is achieved?

I know that a cookie provider is used in case of regular web agents, but when using WAOP (Web Agent Option Pack), I am not sure how to create session for the target application in a different domain.

In Short,

In a SP initiated SSO, with siteminder acting as SP, when the target app and cookie provider domain are different from the SP domain, how to achieve a successful session in the target application.

SP Domain                    - abc.com  (staging-secure.abc.com)
application domain        - xyz.com  (staging.something.xyz.com) [ cookie domain scope is set to 2 in WAOP and target app WA ACO]
cookie provider domain - xyz.com   (staging.cookie.xyz.com)

Observation so far:
After successful SAML POST assertion from IDP, siteminder is able to set SMSESSION cookie in .abc.com. Then this is redirecting to the target application which is in .xyz.com domain and the SMSESSION cookie that was set in .abc.com is lost in the redirection and so, the target app redirects to the login form again, resulting in infinite loop between login form and the app.

--------------
Thanks,
Krishna
--------------

Original Message:
Sent: 11-19-2020 02:15 AM
From: KrishnaKumar Subramaniam
Subject: Session creation issue - Target URL is not in the CookieDomain when Siteminder acts as SP in partnership Federation

Thanks Pete. This helped me go past the error, I was seeing earlier. Now, the SAML POST is honored and a session cookie (SMSESSION) is set in .abc.com and redirects to the ACS target in the relay state. However, when it goes to the actual target application https://staging.something.xyz.com/, it could not set SMSESSION cookie in .xyz.com and it loops between login form and the app URL.

FWSTrace log before redirecting to the app:

[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][processSuccessfulAuthentication][SAMLData NameID: testuser]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][createSessionCookie][Validating input...]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][createSessionCookie][Creating the smsession cookie for SP domain [CHECKPOINT = SSO_SMSESSIONFORSPDOMAIN_REQ]]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][createSessionCookie][Recived valid input. Attempting to create SESSION cookie.]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][createSessionCookie][session id is: DJDaneaGkPpsvh2fgPuJ9iVv4nY=]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][createSessionCookie][About to create SESSION cookie.]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][FWSBase.java][createSessionCookie][Placing smsession in browser [CHECKPOINT = SSO_PLACESMSSESSIONTOBROWSER_REQ]]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][AssertionConsumer.java][processSAMLResponse][authenticateUser succeded: 0]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][AssertionConsumer.java][processSAMLResponse][Redirecting user to target url [CHECKPOINT = SSOSAML2_REDIRECTUSERTARGETURL_REQ]]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][AssertionConsumer.java][handleUserRedirection][Enter: handleUserRedirection]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][AssertionConsumer.java][redirectUser][redirectMode: 0]
[11/19/2020][01:37:36][5176][997680896][255d688b-41596ef4-757c93e0-e8ec5757-22c80d91-faa][AssertionConsumer.java][redirectUser][Redirecting the user to HTTPS://staging.something.xyz.com/ using '302 No Data' redirect mode.]

Below is a trace from cookie provider.

[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][][][CSmHighLevelAgent.cpp:322][ProcessRequest][][][][][][][][][][][][][][][Start new request.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][][][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][][][][][][][][][][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]
[11/19/2020][01:38:46.370][2153][3506345728][][][][SmApache24WebFilterCtxt.cpp:1744][CSmApache24WebFilterCtxt::SetP3PCompactPolicy][][][][][][][][][][][][][][][sP3PCompactPolicy: '']
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][][][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][][][][][][][][][][][][][][][Resolved HTTP_HOST: 'staging.cookie.xyz.com'.]
[11/19/2020][01:38:46.370][2153][3506345728][][][][CSmHttpPlugin.cpp:5350][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][][][][][][][][][staging.cookie.xyz.com]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][][][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][][][][][][][][][][][][][][][Resolved hostname: 'staging.cookie.xyz.com'.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][][][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][][][][][][][][][][][][][][][Resolved agentname: 'Az-cookieprovider'.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][][CSmHttpPlugin.cpp:5727][CSmHttpPlugin::ResolveClientIp][][][][][][][][][][][][][][][Resolved Client IP address 'XXXXXXXXXX'.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][][][][][*103.59.135.17][][][][][][][][][][Resolved URL: '/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f'.]
[11/19/2020][01:38:46.370][2153][3506345728][][][][CSmHttpPlugin.cpp:5806][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][][][][][][][][][Auto-authorizing resource, matches IgnoreExt filter.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmHttpPlugin.cpp:698][CSmHttpPlugin::ProcessResource][][][][][*103.59.135.17][][][][][][][][][][Autoauthorizing URL : 'https://staging.cookie.xyz.com/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f' , Method: 'GET' ]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][][][][][*103.59.135.17][][][][][][][][][][Resolved METHOD: 'GET'.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][][][][][*103.59.135.17][][][][][][][][GET][][Resolved cookie domain: '.xyz.com'.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmHttpPlugin.cpp:7756][CSmHttpPlugin::ProcessCookieProviderRequest][][][][][*103.59.135.17][][][][][][][][GET][][Cookie Provider could not find cookie 'STSESSION']
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmHttpPlugin.cpp:8158][CSmHttpPlugin::ProcessCookieProviderRequest][][][][][*103.59.135.17][][][][][][][][GET][][Cookie Provider returning to TARGET 'https://staging.something.xyz.com/?STSESSION=NO'.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][SmPluginUtilities.cpp:482][HandleCredCollectorReturn][][][][][*103.59.135.17][][][][][][][][GET][][POST preservation, handling return from credential collector.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][SmPluginUtilities.cpp:619][HandleCredCollectorReturn][][][][][*103.59.135.17][][][][][][][][GET][][http response https://staging.something.xyz.com/?STSESSION=NO]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmResourceManager.cpp:94][CSmResourceManager::ProcessResource][][][][][*103.59.135.17][][][][][][][][GET][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmExit.]
[11/19/2020][01:38:46.370][2153][3506345728][00000000000000000000000005b8c00a-0869-5fb612f6-d0fe9700-90b9930c3b3][Az-cookieprovider][/siteminderagent/SmMakeCookie.ccc?STSESSION=QUERY&PERSIST=0&TARGET=-SM-https%3a%2f%2fstaging%2esomething%2exyz%2ecom%2f][CSmHighLevelAgent.cpp:349][ProcessRequest][][][][][*103.59.135.17][][][][][][][][GET][][ResourceManager returned SmExit, end new request.]

Cookie provider ACO has UseSecureCookies set to YES while the ACO for WAOP has this parameter value set to NO. Could cookie provider be rejecting cookies from WAOP since its not set to Secure?

Thanks,
Krishna
Original Message:
Sent: 11-18-2020 02:19 PM
From: Peter Burant
Subject: Session creation issue - Target URL is not in the CookieDomain when Siteminder acts as SP in partnership Federation

Hi Krishna,

The ValidTargetDomain ACO parameter does not come into play here.  That parameter is used when the regular Web Agent is redirecting the user to a different target domain.  For federation use cases where the Affwebservices application is redirecting the user, the ValidFedTargetDomain parameter needs to be configured in the ACO.  In addition to listing the desired domains in this parameter, the 'Validate Target URL Domain' checkbox within the partnership needs to be selected.

The default behavior of Affwebservices is to validate that the Target domain matches the domain in which Affwebservices is hosted.  The Validate Target URL Domain checkbox tells Affwebservices to validate the Target domain against the domains listed in the ValidFedTargetDomain parameter.  Please note that the domain in which Affwebservices is hosted is always considered a valid domain and does not need to be listed in the parameter.

If you need to add more than one domain to the ValidFedTargetDomain parameter, be sure to use the Multi-Value entry option in the AdminUI.  Also, do not include a leading dot when adding domains.  For example, enter 'abc.com' not '.abc.com'.

Regards,
Pete

Original Message:
Sent: 11-18-2020 01:50 PM
From: KrishnaKumar Subramaniam
Subject: Session creation issue - Target URL is not in the CookieDomain when Siteminder acts as SP in partnership Federation

Hi Members,

I have configured CA SSO as Service provider (SP) and the federation happens well for any URL in the same domain as SP, however, if the target application URL is different, I get below error.

[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][SAML2Base.java][getIdentityProviderInfo][Trying to fetch SAML2.0 IDP Configuration from cache [CHECKPOINT = SSOSAML2_IDPCONFFROMCACHE_REQ]]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][SAML2Base.java][getIdentityProviderInfo][Obtained identity provider information from cache for: http://www.okta.com/exkv1uynizB30pK6L0h7.]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][FWSBase.java][getPartnershipSourceValue][Partnership source value = 3]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Reading the configuration to get the target url [CHECKPOINT = SSOSAML2_READTARGETURL_REQ]]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][targetURL:HTTPS://staging.controls-expert.carrier.com/ usingRelayState: true]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][FWSBase.java][validateTarget][Target: HTTPS://staging.something.xyz.com/ is not in the CookieDomain: .abc.com]

==> affwebserv.log <==
[8159/2934892288][Wed Nov 18 2020 13:33:21][AssertionConsumer.java][ERROR][sm-FedClient-01350] Can not redirect to a target - HTTPS://staging.something.xyz.com/ outside the local Cookie Domain. (, , , )

==> FWSTrace.log <==
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Can not redirect to a target - HTTPS://staging.something.xyz.com/ outside the local Cookie Domain.]
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Ending the request processing with the HTTP response code: 400]

==> affwebserv.log <==
[8159/2934892288][Wed Nov 18 2020 13:33:21][AssertionConsumer.java][ERROR][sm-FedClient-02890] Transaction with ID: 2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4 failed. Reason: ACS_TARGET_IN_INVALID_DOMAIN (, , )

==> FWSTrace.log <==
[11/18/2020][13:33:21][8159][2934892288][2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4][AssertionConsumer.java][getRealmForTarget][Transaction with ID: 2ebd025e-b8526402-db3c7e83-af2e999b-e5e8ee1e-4 failed. Reason: ACS_TARGET_IN_INVALID_DOMAIN]

We are using option pack for federation setup and in the ACO of WAOP, I have set CookieDomainScope to 2 and ValidTargetDomain is set to ".abc.com",".xyz.com".

Please note that there are many URLS in the same domain (.abc.com) as SP which works fine and SSO is achieved as well. I would like to know if there are any specific settings to be tweaked when CA SSO (siteminder) acts as SP in order to set session cookie(SMSESSION) for multi/cross domains.

Environment Details:

Policy server:

Policy server version: CA SSO 12.8 SP3
Policy Server OS     : RHEL 7.8

WebAgent Option Pack:

Product Name=CA SiteMinder Option Pack for Web Agent
FullVersion=12.52.105.2112

Thanks,
Krishna