Symantec SiteMinder

 View Only

Tech Tip : CA Single Sign-On :Web Agent & WAOP:Client IP and SMSESSION IP do not match

By Ujwol posted Oct 18, 2016 12:21 AM

  

Issue:

 

Use Case

Customer upgraded Web Agent Option Pack from r12.0 to r12.52 SP1CR5.
User logon to centralized web agent resource first and then initiate Unsolicited(IDP Initiated) federation.
After that, when navigating back to the normal web agent resources, the user session is being rejected with following error at the webagent trace log.
Client IP and SMSESSION IP do not match

 

Configuration

 

  • Customer has Transient IP check enabled on the centralized Login Web Agent. (different from IDP Web agent)
  • Customer has Transient IP check disabled on the IDP Web Agent as well as IDP WAOP
  • All Web Agent and Web Agent Option Pack are behind the Load Balancer
  • CustomIPheader is configured for Login Web Agent, IDP Web Agent and WAOP ACO 

 

Environment:

  • Policy Server : R12.52 and above 
  • Policy Server OS : Any
  • Web Agent : 12.52 and above (Both login and IDP)
  • Web Agent Option Pack : 12.51 and above

 

Root Cause:

In r12.0 version of Web Agent Option Pack, it did NOT generate SMSESSION cookie on successful validation of existing SMSESSION cookie.

However, r12.51 onwards, Web Agent Option Pack does generate SMSESSION cookie.

But unlike normal web agent it doesn't support the CustomIPHeader ACO parameter.

So, when it creates the SMSESSION cookie it resolves client IP as follows :

  • It first reads the SM_CLIENT_IP header, if it has the value, it uses this.
  • If SM_CLIENT_IP header is empty it uses the Proxy IP as the client IP. The Proxy IP is usually the Load Balancer IP.

Now, the normal Web Agent sets this SM_CLIENT_IP header to the actual browser IP address only if either TransientIPCheck or PersistentIPCheck is enabled.

As, in this case neither TransientIPCheck nor PersistentIPCheck was enabled on the IDP Web agent, it wasn't setting this SM_CLIENT_IP header as a result the WAOP was using the Proxy IP while creating SMSESSION cookie.

Now, when this SMSESSION cookie created by WAOP is submitted to normal agent the IP validation fails as the resolved client IP (resolved from CustomIPHeader) and the one in the SMSESSION cookie does not match.

WorkAround:

Enable either Transient IP check or Persistent IP check on the IDP Web Agent as well.

 

Solution:

CA might support CustomIPHeader for Web Agent Option Pack in the future release. At this time of writing it doesn't support it.

4 comments
7 views