Symantec Access Management

  • 1.  Cookie Provider not working for first request

    Posted Oct 28, 2015 03:58 AM

    Hi All,

     

    I am utilizing cookie provider functionality in my environment where I have two of my domains on apache servers which are acting as proxy for both. I have my WebAgent residing on both these proxy servers and I have configured one of the domain as cookie provider say abc.com . After the SiteMinder authentication we are sending the header sm_user to the actual application server and the setup is working fine.

     

    The problem I am facing here is only for the first request we will make. More precisely if we leave the system idle for around 20 mins and then trying to access the slave domain say xyz.com it is not sending any header to the application and we are getting a blank page after waiting for around 4 mins. Again if I access the URL I am getting the desired application page without any delays and so on.

     

    The problem only comes for the first request after waiting for around 20 mins. I have checked the WebAgent trace logs and have compared the success and failure logs. I could makeout that most of the requests are not getting triggered at all and the request is stopped on its own. Please help me if somebody have faced same problem in the past.

     

    Just FYI.. I can see the target URL in the browser when the blank page is displayed.

     

    SiteMinder Version used : 12.52 sp1 cr1

     

     

    Thanks,

    Ashish Vashistha

    PH : 8130233066



  • 2.  Re: Cookie Provider not working for first request

    Posted Oct 28, 2015 09:33 AM

    RajeshKA

     

    I would recommend running a Browser Trace (e.g. Fiddler) to see what is happening on the first request.

     

    If we leave the browser idle for 20mins and we are using the default ACO Settings - then the SessionUpdatePeriod and SessionGracePeriod would have elapsed. Therefore the LocalWebAgent (Slave) would update its own LocalCookie and also subsequently issue a 302 redirect to MasterWebAgent (CookieProvider) to update the Master Cookie. Thereafter the Target URL is served, which the user was trying to access.

     

    So ideally we have seen issues with 302 redirects for CookieProviders and Application URLs i.e. WebAgent issues a 302; however application expects a 200 OK. This is a race condition, i.e. who would win the race. There are Post Preservation issues and solutions around it. However my recommendation would be to investigate what is happening from Browser/WebAgent perspective and match that with what the Application is expecting. This would tell us what is happening under the covers. We then look at where the problem is.

     

     

    Another recommendation which is not related to this issue. However something that I would recommend is, not to use the default SM_USER header. Configure a Response within the Policy Domain and use that in Policy-Rule Mapping. The reason being the value of SM_USER is allowed to change based on the CA SSO Solution implementation and CA has rights to change it. A good example is if you are using a HTML Forms Auth the value of SM_USER would be "hubert@xyz.com"; however if we switched to IWA based Auth Scheme the SM_USER value would be sAMAccountName i.e. "ADDOMAIN/hubert". If the Application was expecting SM_USER to be "hubert@xyz.com" then functionality is broken. Hence try not to use SM_USER (OR SiteMinder proprietary headers) to assert the identity of a User. Use a Configured Response as that is triggered by Policy Server.

     

     

     

     

     

    Regards

     

    Hubert