Symantec Access Management

  • Private Community

  • 1.  SMSESSION

    Posted Mar 27, 2018 05:52 AM

    Hello All,

     

    Can you please explain in depth how SMSESSION is created (if a form based .fcc is used) and is there any way to change the name of the SSO session cookie from SMSESSION to any other name?

     

    Thank You

    Ankur Taneja



  • 2.  Re: SMSESSION

    Posted Mar 27, 2018 05:58 AM

    Hi Ankur Taneja,

     

    Please check below thread.

     

    SiteMinder Cookies, their Usage, Contents and Security 

     

     

    Thanks,

    Shankar



  • 3.  Re: SMSESSION

    Posted Mar 27, 2018 06:23 AM

    Thanks Shankar for the details!



  • 4.  Re: SMSESSION
    Best Answer

    Posted Mar 27, 2018 06:17 AM

    1. How SMSESSION cookie is created ?

    Answer :

    https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2016/05/05/tech-tip-ca-single-sign-on-web-agent-smsession-cookie


    To understand how and who creates the SMSESSION cookie, we need to understand the user login flow. It goes something like below in the simplistic scenario:

     

    1. The Agent collects the user’s credentials.
    2. The Agent sends the Login() request to the Policy Server passing the received credentials. The Policy Server verifies the credentials and creates a Session Spec that represents the newly created user session. Policy server encrypts the Session Spec using Session Ticket Key (Persistent Key). The encrypted Session Spec is then sent back to the Agent together with the Session ID and other session related parameters (idle timeout, expiration timeout, etc.).
    3. The Agent embeds the Session ID and the Session Spec in an encrypted SMSESSION cookie that is sent back to the user’s browser. This encryption is done using Agent Keys.
    4. The Agents also saves the Session ID and the Session Spec in its User Session Cache.
    5. Any time when an authenticated user accesses the Web site, the browser submits the SMSESSION cookie together with a HTTP request.
    6. When the Agent receives the SMSESSION cookie, it decrypts the SMSESSION cookie using Agent Keys, extracts the Session ID and the Session Spec it checks them against the values stored in the User Session Cache. If the Agent cache doesn’t contain corresponding entry, the Agent uses the Validate() call to pass the Session ID and the Session Spec to the Policy Server for validation. 
    7. Once Policy server receives the validation request from Web Agent, it decrypts the Session Spec using Session Ticket Key (Persistent Key) and then performs validation. 
    8. If the validation succeeds, the Policy Server returns the updated Session Spec to the Agent. The Session ID is not modified in the course of validation.

     

    2. How to change name of the SMSESSION cookie?

    Answer: To change the name , you will need to set ACO “SSOZoneName”


    For e.g if SSOZoneName=Z1, then cookie name would be “Z1Session” cookie 




  • 5.  Re: SMSESSION

    Posted Mar 27, 2018 06:23 AM

    Thanks Ujwol for the details