Symantec Access Management

  • Private Community

  • 1.  How to simulate SSO Web Agent for IIS?

    Posted Dec 01, 2017 04:15 PM

    I am working on an IIS-hosted web site that will be protected behind a SiteMinder SSO Web Agent.  I do not have a Policy Server, or corresponding wired-up Web Agent in my local dev environment, but I would like to simulate the Web Agent behavior with my app.  Mainly to test retrieving specific header variables and the overall process flow.

     

    Is there any sort of mock or test Web Agent available for this situation? How does everyone else approach developing against SiteMinder without an actual fully installed environment?  Or is there some sort of developer trial edition available that could be installed on a workstation environment?

     

    Alternatively, some Googling has led me to a number of random posts where others look to have made their own mock services to simulate the web agent behavior.  If there's no official developer solution, is that the suggested direction I should try?

     

    Thanks for any advice!



  • 2.  Re: How to simulate SSO Web Agent for IIS?
    Best Answer

    Posted Dec 03, 2017 11:06 PM

    Hi Peter,

     

    CA SSO doesn't have any publicly available developer/trial solution to my knowledge.

    You may have to contact CA Sales to get a trial copy.

     

    But given the fact that , CA SSO web agent for IIS acts as ISAPI filter/Http Module, you should be able to develop a custom modules to mock web agent behavior for testing.


    Regards,

    Ujwol



  • 3.  Re: How to simulate SSO Web Agent for IIS?

    Posted Dec 04, 2017 11:55 AM

    Might seem kind of clunky...but if you literally just want to develop against verifying a username or other attributes from a header, and not all the other protections the Web Agent has (rewriting headers, bad css chars, etc)...just setup  URL Rewrite to injected HTTP headers mimicking user attributes passed in via a front-end web agent.



  • 4.  Re: How to simulate SSO Web Agent for IIS?

    Posted Dec 04, 2017 03:34 PM

    If you have VMWare available, you can set up two images that let you run your own CA SSO environment. You can put the policy server and user directory on one image, and on the other image IIS and any other application servers you need.

     

    If your company has a license for CA SSO, then you can install it on as many test environments as you want, including individual developer test environments.

     

    Whether or not this is really practical for you depends on your how much experience you have installing and configuring LDAP directories, IIS, app servers and CA SSO. 

     

    Rick



  • 5.  Re: How to simulate SSO Web Agent for IIS?

    Posted Dec 04, 2017 06:05 PM

    They don't have CA SSO license.



  • 6.  Re: How to simulate SSO Web Agent for IIS?

    Posted Dec 05, 2017 08:56 AM

    Thanks everyone for the help!  I've ended up going the route of making a custom HttpModule that I can integrate with my app and simulate the behavior.  Mainly I'm interested in the headers that are available after an SSO login, so after simulating the login workflow I think those are pretty straightforward.



  • 7.  Re: How to simulate SSO Web Agent for IIS?

    Posted Dec 05, 2017 09:38 AM

    I actually found this to be a very helpful post - thanks to all



  • 8.  Re: How to simulate SSO Web Agent for IIS?

    Posted Dec 06, 2017 02:06 PM

    Hi all, I did have one follow up question, I think about the IIS Web Agent implementation.  My understanding is that the agent will add certain default headers.  Can someone clarify where those headers are located?  The examples I've come across seem to refer to them as "Request Headers", leading me to believe they are just in the Request (and accessed via ASP.NET in the Request.Headers object). 

     

    But I also have some examples showing that to access the header variables, to use the Request.ServerVariables object.  It sounds like there might be some overlap between HTTP Headers and the IIS ServerVariables; but can anyone speak to the details of the IIS Web Agent implementation? I'm wondering if that might be an artifact of the agent's ISAPI filter nature; does it insert ServerVariable entries that are also available as Header variables in the Request?

     

    Is there any official CA documentation in accessing the SiteMinder SSO header variables from code (ASP.NET/C#)?



  • 9.  Re: How to simulate SSO Web Agent for IIS?

    Posted Dec 06, 2017 02:17 PM

    The CA SSO are standard inbound request headers. In JSPs they are accessed like any other headers, but for IIS I have always used the following logic to extract them. But maybe Microsoft has improved asp so the SM headers do show up in Request.Headers. But anyway, if Request.Headers doesn't work, the following code should work:

     

    <%
    Function GetAttribute(AttrName)
        Dim AllAttrs
        Dim RealAttrName
        Dim Location
        Dim Result

        AllAttrs = Request.ServerVariables("ALL_HTTP")
        RealAttrName = "HTTP_" & ucase(AttrName)

        Location = instr(AllAttrs, RealAttrName & ":")

        if Location <= 0 then
            GetAttribute = ""
            Exit Function
        end if

        Result = mid(AllAttrs, Location + Len(RealAttrName) + 1)

        Location = instr(Result, chr(10))
        if Location <= 0 then Location = len(Result) + 1

        GetAttribute = left(Result, Location - 1)
    End Function
    %>

     

    You can call the GetAttribute function with code like this:

    Response.Write "HTTP_SM_USER = " & GetAttribute("SM_USER") & "<BR>"

     

    Hope this helped.

     

    Rick



  • 10.  Re: How to simulate SSO Web Agent for IIS?

    Posted Dec 06, 2017 02:56 PM

    Great, thanks!