Skip navigation
All People > SungHoon_Kim > Sung Hoon Kim's Blog > 2018 > August
2018

Web Agent does not yet support setting the SameSite cookie.

However, there are ways to workaround it until it is officially supported.

 

Any web servers would have the feature to rewrite the cookies going out to the browser.

In case of Apache, you can do the following.

 

Modify the httpd.conf file as below.

 

1. Load the mod_headers.so

LoadModule headers_module modules/mod_headers.so

 

2. Rewrite the cookie

Header edit Set-Cookie ^(.*)$ "$1; SameSite=Strict"

 

Once you set the above 2 lines and restart the Apache, all cookies would be adding the SameSite flag.

There were already good articles to follow.

 

CA SSO OpenID Connect Provider - Agentless SSO 

CA SSO OpenID Connect Provider - with Apache OpenID Client 

 

If you follow the instructions above, you should be good to setup OpenID Client with CA OpenID Connect Provider.

 

I tested on CA Access Gateway R12.8 base version and above document still remains valid.

There was one thing that I encountered during the configuration and that was in the CA SSO AdminUI creating the OpenID Client.

 

 

When entering the "Redirect URIs" and click "Add", nothing happens.

This page code does not seem to work in IE.

However, by using chrome, I was able to submit and save.

 

Here are the steps, which is simply re-illustrating what the previous authors have documented (credits to them, jack.saunders and Mark.ODonohue)

 

=============

 

1) Prerequisites: 

 

Policy Server R12.8 

 

Access Gateway R12.8 

 

Apache httpd webserver with mod_auth_openidc installed.

  • Installed Apache 2.4 http://www.apachelounge.com/download/ 
    • In my testing, I downloaded httpd-2.4.34-win64-VC15.zip
    • Extract the file and move the Apache24 folder to C:\
    • Configure HTTPS and register apache as service
  • Installed mod_auth_openidc : https://github.com/pingidentity/mod_auth_openidc/releases
    Note : I will cover this one in a bit more detail, below as I had a few dependency issues to fix before it would work correctly.
    • In my testing, I downloaded mod_auth_openidc-2.3.7-apache-2.4.x-win64.zip
    • Extract the zip and copy the "mod_auth_openidc.so" to "<Apache24>/modules" and "cjose.dll, jansson.dll and libcurl.dll" to "<Apache24>/bin" folder.
    • Download openssl-1.0.2o-x64_86-win64.zip from Index of /SSL and extract the "libeay32.dll and ssleay32.dll" files to "<Apache24>/bin" folder.
    • update httpd.conf file to load the "mod_auth_openidc.so" file.
    • Ensure the Apache starts up fine.
  • Link /protected/ to httpd.conf to /cgi-bin/ to launch printenv.pl (You actually need to install perl separately but is not madatory to have this, you can just create a folder under htdocs and use it instead. This is just to dump headers for better visibility)
  • And update printenv.pl where the perl runtime is. 

 

Then follow the steps in CA SSO OpenID Connect Provider - with Apache OpenID Client to create the OpenID Provider and Client.

When you create the OpenID Client, it will automatically generate the "Client ID" and "Client Secret" unless you enter them manually.

 

This value need to be used when you update your OID Client side httpd.conf file.

 

Attaching httpd.conf and Sample_OID_Flow.saz for reference.

Hi, for anyone following my blog, there is a CA SSO Road Map announcements if you are interested.

 

https://communities.ca.com/events/4708-ca-single-sign-on-roadmap-august-16-2018-10-pm-et-apj

 

Register your interest to join.

 

Cheers,

Kim