Layer7 API Management

​Hi,

I am trying to create an API which will authenticate & authorize user from CA SSO and then will create SMSESSION cookie.
I have my local test application to make that API call. My local test application is not protected by CA SSO.
In the browser, I saw it generate the SMSESSION cookie with my company domain.
From that browser, when I tried to access other my company web applications, the webagent always redirect to CA SSO login page.
It looks like webagent cannot recognize that SMSESSION cookie.

I am pretty sure my Layer7 API SiteMinder setting is good. I have another API which can read SMSESSION and retrieve user information.
So I just wondering is it possible after browser get SMSESSION cookie from  Layer7 and it can bypass login page from other web applications?
And in the webagent log, I saw webagnet always tried to decode SMIDENTITY cookie. Since the browser only generate SMSESSION cookie, do I need to generate SMIDENTITY cookie too? and can you let me know how can I generate SMIDENTITY cookie?

Thanks

Mark

Hi Mark,

when  the SMSESSION cookie is being generated on the gateway you need to ensure the attributes are set correctly. 

Have you validated the browser is actually including the cookie in the call you the other web application?

if it is being sent and being rejected its potentially the attributes that are being set on the cookie when you are generating it.
Original Message:
Sent: 03-30-2020 03:16 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

​Hi,

I am trying to create an API which will authenticate & authorize user from CA SSO and then will create SMSESSION cookie.
I have my local test application to make that API call. My local test application is not protected by CA SSO.
In the browser, I saw it generate the SMSESSION cookie with my company domain.
From that browser, when I tried to access other my company web applications, the webagent always redirect to CA SSO login page.
It looks like webagent cannot recognize that SMSESSION cookie.

I am pretty sure my Layer7 API SiteMinder setting is good. I have another API which can read SMSESSION and retrieve user information.
So I just wondering is it possible after browser get SMSESSION cookie from  Layer7 and it can bypass login page from other web applications?
And in the webagent log, I saw webagnet always tried to decode SMIDENTITY cookie. Since the browser only generate SMSESSION cookie, do I need to generate SMIDENTITY cookie too? and can you let me know how can I generate SMIDENTITY cookie?

Thanks

Mark

Barry,

I thought SMSESSION is cookie and I just set up value, domain and path.
I compared both SMSESSION and both have same value in the domain and path.
I am not sure what other attribute I need to set. Do you have any suggestion what other attributes I need set or check?

Thanks

Mark
Original Message:
Sent: 03-31-2020 12:58 PM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hi Mark,

when  the SMSESSION cookie is being generated on the gateway you need to ensure the attributes are set correctly.

Have you validated the browser is actually including the cookie in the call you the other web application?

if it is being sent and being rejected its potentially the attributes that are being set on the cookie when you are generating it.
Original Message:
Sent: 03-30-2020 03:16 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

​Hi,

I am trying to create an API which will authenticate & authorize user from CA SSO and then will create SMSESSION cookie.
I have my local test application to make that API call. My local test application is not protected by CA SSO.
In the browser, I saw it generate the SMSESSION cookie with my company domain.
From that browser, when I tried to access other my company web applications, the webagent always redirect to CA SSO login page.
It looks like webagent cannot recognize that SMSESSION cookie.

I am pretty sure my Layer7 API SiteMinder setting is good. I have another API which can read SMSESSION and retrieve user information.
So I just wondering is it possible after browser get SMSESSION cookie from  Layer7 and it can bypass login page from other web applications?
And in the webagent log, I saw webagnet always tried to decode SMIDENTITY cookie. Since the browser only generate SMSESSION cookie, do I need to generate SMIDENTITY cookie too? and can you let me know how can I generate SMIDENTITY cookie?

Thanks

Mark

Hello Mark,

You are correct that the SMSESSION is a cookie. 

Web browsers have strict rules for allowing cookies to be stored and sent.

Did you verify the browser is sending the cooking to these other web applications? this can e seen in the requests in the browsers developer tools.

if using default settings and authentication against SSO the value for the cookie should be  ${siteminder.smcontext.ssotoken}


Original Message:
Sent: 03-31-2020 02:18 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

I thought SMSESSION is cookie and I just set up value, domain and path.
I compared both SMSESSION and both have same value in the domain and path.
I am not sure what other attribute I need to set. Do you have any suggestion what other attributes I need set or check?

Thanks

Mark
Original Message:
Sent: 03-31-2020 12:58 PM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hi Mark,

when  the SMSESSION cookie is being generated on the gateway you need to ensure the attributes are set correctly.

Have you validated the browser is actually including the cookie in the call you the other web application?

if it is being sent and being rejected its potentially the attributes that are being set on the cookie when you are generating it.
Original Message:
Sent: 03-30-2020 03:16 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

​Hi,

I am trying to create an API which will authenticate & authorize user from CA SSO and then will create SMSESSION cookie.
I have my local test application to make that API call. My local test application is not protected by CA SSO.
In the browser, I saw it generate the SMSESSION cookie with my company domain.
From that browser, when I tried to access other my company web applications, the webagent always redirect to CA SSO login page.
It looks like webagent cannot recognize that SMSESSION cookie.

I am pretty sure my Layer7 API SiteMinder setting is good. I have another API which can read SMSESSION and retrieve user information.
So I just wondering is it possible after browser get SMSESSION cookie from  Layer7 and it can bypass login page from other web applications?
And in the webagent log, I saw webagnet always tried to decode SMIDENTITY cookie. Since the browser only generate SMSESSION cookie, do I need to generate SMIDENTITY cookie too? and can you let me know how can I generate SMIDENTITY cookie?

Thanks

Mark

Barry,

Here is my API screenshot. The SMSESSION value is $(siteminder.smcontext.ssotoken}


Original Message:
Sent: 03-31-2020 05:36 PM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hello Mark,

You are correct that the SMSESSION is a cookie.

Web browsers have strict rules for allowing cookies to be stored and sent.

Did you verify the browser is sending the cooking to these other web applications? this can e seen in the requests in the browsers developer tools.

if using default settings and authentication against SSO the value for the cookie should be  ${siteminder.smcontext.ssotoken}


Original Message:
Sent: 03-31-2020 02:18 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

I thought SMSESSION is cookie and I just set up value, domain and path.
I compared both SMSESSION and both have same value in the domain and path.
I am not sure what other attribute I need to set. Do you have any suggestion what other attributes I need set or check?

Thanks

Mark
Original Message:
Sent: 03-31-2020 12:58 PM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hi Mark,

when  the SMSESSION cookie is being generated on the gateway you need to ensure the attributes are set correctly.

Have you validated the browser is actually including the cookie in the call you the other web application?

if it is being sent and being rejected its potentially the attributes that are being set on the cookie when you are generating it.
Original Message:
Sent: 03-30-2020 03:16 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

​Hi,

I am trying to create an API which will authenticate & authorize user from CA SSO and then will create SMSESSION cookie.
I have my local test application to make that API call. My local test application is not protected by CA SSO.
In the browser, I saw it generate the SMSESSION cookie with my company domain.
From that browser, when I tried to access other my company web applications, the webagent always redirect to CA SSO login page.
It looks like webagent cannot recognize that SMSESSION cookie.

I am pretty sure my Layer7 API SiteMinder setting is good. I have another API which can read SMSESSION and retrieve user information.
So I just wondering is it possible after browser get SMSESSION cookie from  Layer7 and it can bypass login page from other web applications?
And in the webagent log, I saw webagnet always tried to decode SMIDENTITY cookie. Since the browser only generate SMSESSION cookie, do I need to generate SMIDENTITY cookie too? and can you let me know how can I generate SMIDENTITY cookie?

Thanks

Mark

Barry,

Here is my test html (after made API call), in the browser, I can see SMSESSION value in the response cookie


But if I went to other HMS Web Application, the browser removed SMSESSION cook value.
After re-login, I can see new SMSESSION value.




In the API, do I need to add  other HTTP-Header ?

Thanks

Mark


Original Message:
Sent: 03-31-2020 08:56 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

Here is my API screenshot. The SMSESSION value is $(siteminder.smcontext.ssotoken}

I will test my test case and will give you another update soon.

Thanks

Mark

Original Message:
Sent: 03-31-2020 05:36 PM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hello Mark,

You are correct that the SMSESSION is a cookie.

Web browsers have strict rules for allowing cookies to be stored and sent.

Did you verify the browser is sending the cooking to these other web applications? this can e seen in the requests in the browsers developer tools.

if using default settings and authentication against SSO the value for the cookie should be  ${siteminder.smcontext.ssotoken}


Original Message:
Sent: 03-31-2020 02:18 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

I thought SMSESSION is cookie and I just set up value, domain and path.
I compared both SMSESSION and both have same value in the domain and path.
I am not sure what other attribute I need to set. Do you have any suggestion what other attributes I need set or check?

Thanks

Mark
Original Message:
Sent: 03-31-2020 12:58 PM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hi Mark,

when  the SMSESSION cookie is being generated on the gateway you need to ensure the attributes are set correctly.

Have you validated the browser is actually including the cookie in the call you the other web application?

if it is being sent and being rejected its potentially the attributes that are being set on the cookie when you are generating it.
Original Message:
Sent: 03-30-2020 03:16 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

​Hi,

I am trying to create an API which will authenticate & authorize user from CA SSO and then will create SMSESSION cookie.
I have my local test application to make that API call. My local test application is not protected by CA SSO.
In the browser, I saw it generate the SMSESSION cookie with my company domain.
From that browser, when I tried to access other my company web applications, the webagent always redirect to CA SSO login page.
It looks like webagent cannot recognize that SMSESSION cookie.

I am pretty sure my Layer7 API SiteMinder setting is good. I have another API which can read SMSESSION and retrieve user information.
So I just wondering is it possible after browser get SMSESSION cookie from  Layer7 and it can bypass login page from other web applications?
And in the webagent log, I saw webagnet always tried to decode SMIDENTITY cookie. Since the browser only generate SMSESSION cookie, do I need to generate SMIDENTITY cookie too? and can you let me know how can I generate SMIDENTITY cookie?

Thanks

Mark

Hi Mark,

Thanks for including screen shots.

You have a fundamental cookie web browser security handling issue with your testing approach. You are trying to generate a cookie for your hms.com domain but going to your local ip address not a website with the hms.com domain this will not work  as your browser especially chrome is strict on this to prevent CSRF attacks. you can try adding a entry to your /etc/hosts file to allow your browser to resolve to a hostname.

What I see is the browser is not setting the cookie as the SMSESSION cookie being returning in your first call from the API gateway. Look at the value of the cookie in your second call to the  other App and see the values do not match.

You also need to look closely at the attribute SSO is using when generating the SMSESSION cookie and set accordingly in the cookie API gateway is generating. things like Secure and SameSite may be necessary.
Original Message:
Sent: 03-31-2020 09:10 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

Here is my test html (after made API call), in the browser, I can see SMSESSION value in the response cookie

But if I went to other HMS Web Application, the browser removed SMSESSION cook value.
After re-login, I can see new SMSESSION value.

In the API, do I need to add  other HTTP-Header ?

Thanks

Mark


Original Message:
Sent: 03-31-2020 08:56 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

Here is my API screenshot. The SMSESSION value is $(siteminder.smcontext.ssotoken}

I will test my test case and will give you another update soon.

Thanks

Mark

Original Message:
Sent: 03-31-2020 05:36 PM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hello Mark,

You are correct that the SMSESSION is a cookie.

Web browsers have strict rules for allowing cookies to be stored and sent.

Did you verify the browser is sending the cooking to these other web applications? this can e seen in the requests in the browsers developer tools.

if using default settings and authentication against SSO the value for the cookie should be  ${siteminder.smcontext.ssotoken}


Original Message:
Sent: 03-31-2020 02:18 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

I thought SMSESSION is cookie and I just set up value, domain and path.
I compared both SMSESSION and both have same value in the domain and path.
I am not sure what other attribute I need to set. Do you have any suggestion what other attributes I need set or check?

Thanks

Mark
Original Message:
Sent: 03-31-2020 12:58 PM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hi Mark,

when  the SMSESSION cookie is being generated on the gateway you need to ensure the attributes are set correctly.

Have you validated the browser is actually including the cookie in the call you the other web application?

if it is being sent and being rejected its potentially the attributes that are being set on the cookie when you are generating it.
Original Message:
Sent: 03-30-2020 03:16 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

​Hi,

I am trying to create an API which will authenticate & authorize user from CA SSO and then will create SMSESSION cookie.
I have my local test application to make that API call. My local test application is not protected by CA SSO.
In the browser, I saw it generate the SMSESSION cookie with my company domain.
From that browser, when I tried to access other my company web applications, the webagent always redirect to CA SSO login page.
It looks like webagent cannot recognize that SMSESSION cookie.

I am pretty sure my Layer7 API SiteMinder setting is good. I have another API which can read SMSESSION and retrieve user information.
So I just wondering is it possible after browser get SMSESSION cookie from  Layer7 and it can bypass login page from other web applications?
And in the webagent log, I saw webagnet always tried to decode SMIDENTITY cookie. Since the browser only generate SMSESSION cookie, do I need to generate SMIDENTITY cookie too? and can you let me know how can I generate SMIDENTITY cookie?

Thanks

Mark

Barry,

Thanks your information. I never think about that local host part. I will make that change.
But from the Layer7 API standpoint, I just want to see if I miss anything. Please let me know if I need other assertion in the API.
Based on your information, CA SSO should be recognize Layer7 SMSESSION cookie value.  Is that correct?

Thanks

Mark
Original Message:
Sent: 04-01-2020 11:12 AM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hi Mark,

Thanks for including screen shots.

You have a fundamental cookie web browser security handling issue with your testing approach. You are trying to generate a cookie for your hms.com domain but going to your local ip address not a website with the hms.com domain this will not work  as your browser especially chrome is strict on this to prevent CSRF attacks. you can try adding a entry to your /etc/hosts file to allow your browser to resolve to a hostname.

What I see is the browser is not setting the cookie as the SMSESSION cookie being returning in your first call from the API gateway. Look at the value of the cookie in your second call to the  other App and see the values do not match.

You also need to look closely at the attribute SSO is using when generating the SMSESSION cookie and set accordingly in the cookie API gateway is generating. things like Secure and SameSite may be necessary.
Original Message:
Sent: 03-31-2020 09:10 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

Here is my test html (after made API call), in the browser, I can see SMSESSION value in the response cookie

But if I went to other HMS Web Application, the browser removed SMSESSION cook value.
After re-login, I can see new SMSESSION value.

In the API, do I need to add  other HTTP-Header ?

Thanks

Mark


Original Message:
Sent: 03-31-2020 08:56 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

Here is my API screenshot. The SMSESSION value is $(siteminder.smcontext.ssotoken}

I will test my test case and will give you another update soon.

Thanks

Mark

Original Message:
Sent: 03-31-2020 05:36 PM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hello Mark,

You are correct that the SMSESSION is a cookie.

Web browsers have strict rules for allowing cookies to be stored and sent.

Did you verify the browser is sending the cooking to these other web applications? this can e seen in the requests in the browsers developer tools.

if using default settings and authentication against SSO the value for the cookie should be  ${siteminder.smcontext.ssotoken}


Original Message:
Sent: 03-31-2020 02:18 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

I thought SMSESSION is cookie and I just set up value, domain and path.
I compared both SMSESSION and both have same value in the domain and path.
I am not sure what other attribute I need to set. Do you have any suggestion what other attributes I need set or check?

Thanks

Mark
Original Message:
Sent: 03-31-2020 12:58 PM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hi Mark,

when  the SMSESSION cookie is being generated on the gateway you need to ensure the attributes are set correctly.

Have you validated the browser is actually including the cookie in the call you the other web application?

if it is being sent and being rejected its potentially the attributes that are being set on the cookie when you are generating it.
Original Message:
Sent: 03-30-2020 03:16 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

​Hi,

I am trying to create an API which will authenticate & authorize user from CA SSO and then will create SMSESSION cookie.
I have my local test application to make that API call. My local test application is not protected by CA SSO.
In the browser, I saw it generate the SMSESSION cookie with my company domain.
From that browser, when I tried to access other my company web applications, the webagent always redirect to CA SSO login page.
It looks like webagent cannot recognize that SMSESSION cookie.

I am pretty sure my Layer7 API SiteMinder setting is good. I have another API which can read SMSESSION and retrieve user information.
So I just wondering is it possible after browser get SMSESSION cookie from  Layer7 and it can bypass login page from other web applications?
And in the webagent log, I saw webagnet always tried to decode SMIDENTITY cookie. Since the browser only generate SMSESSION cookie, do I need to generate SMIDENTITY cookie too? and can you let me know how can I generate SMIDENTITY cookie?

Thanks

Mark

If created correctly yes, CA SSO can consume Layer 7 generated cookies as its really CA SSO generating the ssotoken we are just wrapping the cookie around it and returning to the user browser.
Original Message:
Sent: 04-01-2020 11:53 AM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

Thanks your information. I never think about that local host part. I will make that change.
But from the Layer7 API standpoint, I just want to see if I miss anything. Please let me know if I need other assertion in the API.
Based on your information, CA SSO should be recognize Layer7 SMSESSION cookie value.  Is that correct?

Thanks

Mark
Original Message:
Sent: 04-01-2020 11:12 AM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hi Mark,

Thanks for including screen shots.

You have a fundamental cookie web browser security handling issue with your testing approach. You are trying to generate a cookie for your hms.com domain but going to your local ip address not a website with the hms.com domain this will not work  as your browser especially chrome is strict on this to prevent CSRF attacks. you can try adding a entry to your /etc/hosts file to allow your browser to resolve to a hostname.

What I see is the browser is not setting the cookie as the SMSESSION cookie being returning in your first call from the API gateway. Look at the value of the cookie in your second call to the  other App and see the values do not match.

You also need to look closely at the attribute SSO is using when generating the SMSESSION cookie and set accordingly in the cookie API gateway is generating. things like Secure and SameSite may be necessary.
Original Message:
Sent: 03-31-2020 09:10 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

Here is my test html (after made API call), in the browser, I can see SMSESSION value in the response cookie

But if I went to other HMS Web Application, the browser removed SMSESSION cook value.
After re-login, I can see new SMSESSION value.

In the API, do I need to add  other HTTP-Header ?

Thanks

Mark


Original Message:
Sent: 03-31-2020 08:56 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

Here is my API screenshot. The SMSESSION value is $(siteminder.smcontext.ssotoken}

I will test my test case and will give you another update soon.

Thanks

Mark

Original Message:
Sent: 03-31-2020 05:36 PM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hello Mark,

You are correct that the SMSESSION is a cookie.

Web browsers have strict rules for allowing cookies to be stored and sent.

Did you verify the browser is sending the cooking to these other web applications? this can e seen in the requests in the browsers developer tools.

if using default settings and authentication against SSO the value for the cookie should be  ${siteminder.smcontext.ssotoken}


Original Message:
Sent: 03-31-2020 02:18 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

Barry,

I thought SMSESSION is cookie and I just set up value, domain and path.
I compared both SMSESSION and both have same value in the domain and path.
I am not sure what other attribute I need to set. Do you have any suggestion what other attributes I need set or check?

Thanks

Mark
Original Message:
Sent: 03-31-2020 12:58 PM
From: BARRY STERN
Subject: API Gateway - CA SSO Integration

Hi Mark,

when  the SMSESSION cookie is being generated on the gateway you need to ensure the attributes are set correctly.

Have you validated the browser is actually including the cookie in the call you the other web application?

if it is being sent and being rejected its potentially the attributes that are being set on the cookie when you are generating it.
Original Message:
Sent: 03-30-2020 03:16 PM
From: Mark Ma
Subject: API Gateway - CA SSO Integration

​Hi,

I am trying to create an API which will authenticate & authorize user from CA SSO and then will create SMSESSION cookie.
I have my local test application to make that API call. My local test application is not protected by CA SSO.
In the browser, I saw it generate the SMSESSION cookie with my company domain.
From that browser, when I tried to access other my company web applications, the webagent always redirect to CA SSO login page.
It looks like webagent cannot recognize that SMSESSION cookie.

I am pretty sure my Layer7 API SiteMinder setting is good. I have another API which can read SMSESSION and retrieve user information.
So I just wondering is it possible after browser get SMSESSION cookie from  Layer7 and it can bypass login page from other web applications?
And in the webagent log, I saw webagnet always tried to decode SMIDENTITY cookie. Since the browser only generate SMSESSION cookie, do I need to generate SMIDENTITY cookie too? and can you let me know how can I generate SMIDENTITY cookie?

Thanks

Mark