Symantec Access Management

  • Private Community
 View Only

  • 1.  CA SSO: Protecting the Admin UI using the SPS

    Posted Aug 11, 2015 05:57 PM

    Good evening all,

     

    Tonight I am trying to use SPS to protect the admin ui of my SiteMinder Policy Server. I have met with some success, but also some things remain unfinished:

     

    When I try to log into the Admin UI thru the proxy, my credentials are immediately rejected with a message "Error: Your session has expired" . Has anyone seen this before? What gives? I notice that I am receiving JSESSIONID cookies.



  • 2.  Re: CA SSO: Protecting the Admin UI using the SPS

    Posted Aug 12, 2015 10:14 AM
      1. Here's an Example of how I try to log into the SPS - protected admin ui and am immediately rejected with "Your session has expired".
      2. From chrome dev console:
      1. Request URL:http://sps-server:80/iam/siteminder/console?
      2. Request Method:POST
      3. Status Code:200 OK
    2. Response Headersview source
      1. Connection:Keep-Alive
      2. Content-Type:text/html; charset=UTF-8
      3. Date:Wed, 12 Aug 2015 13:58:01 GMT
      4. Keep-Alive:timeout=5, max=100
      5. Server:Apache/2.4.4 (Unix) mod_jk/1.2.37
      6. set-cookie:JSESSIONID=8D4AA1611E45228A0A4011A5F762C084;Path=/iam/siteminder;Secure;HttpOnly

      8. Transfer-Encoding:chunked
      9. Via:HTTP/1.1 sps-server:80
      10. X-FRAME-OPTIONS:SAMEORIGIN
    3. Request Headersview source
      1. Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
      2. Accept-Encoding:gzip, deflate
      3. Accept-Language:en-US,en;q=0.8
      4. Cache-Control:max-age=0
      5. Connection:keep-alive
      6. Content-Length:56
      7. Content-Type:application/x-www-form-urlencoded
      8. Host: sps-server
      9. Origin:http://sps-server
      10. Referer:http://sps-server/iam/siteminder/console?
      11. Upgrade-Insecure-Requests:1
      12. User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
    4. Form Dataview sourceview URL encoded
      1. query:
      2. username:spsadmin
      3. password: ******
      4. server.id:1


  • 3.  Re: CA SSO: Protecting the Admin UI using the SPS

    Posted Aug 12, 2015 10:17 AM

    One oddity here is that the JSESSIONID cookie is returned with the 'Secure" attribute. Since it is being returned over an http-to-https reverse proxy, the client-browser never sets this cookie....secure cookies sent over insecure (ie non tls protected) transports will be rejected by a user-agent..