AnsweredAssumed Answered

INFO: API Gateway 9.2cr5 with Siteminder 12.7 Response Header Issue

Question asked by mr.david.dixon on Dec 19, 2017
Latest reply on Dec 20, 2017 by mr.david.dixon

This is not really a question but more of something I recently uncovered.  

 

We were running CA SSO 12.52sp2 with API Gateway 9.2 and OTK 4.1 successfully with a custom authentication shim module that we developed. This was all working very well until we upgraded our CA SSO version to 12.7. After doing so, our OTK solution seemed to immediately stop working. After many hours of troubleshooting, I was able to determine the cause was that the siteminder response attribute configured in our custom authentication shim was returning a null value for one of the attributes when the response attribute was defined with "UID" instead of "uid":

ATTR_UID=<%userattr="uid" %> GOOD
ATTR_UID=<%userattr="UID" %> BAD

 

This is either a bug with the API Gateway's siteminder agent interpretation of response headers with the siteminder 12.7 version, or a bug in the way that siteminder 12.7 returns response headers. I was able to set up a header dump page on a regular web agent running IIS and the case sensitivity issue did not seem to occur there. Either way returned the attribute to the page.

Also, I managed to run a siteminder policy server trace of its construction of the response headers and found something kind of interesting:

Good Response Trace:
[12/19/2017][14:40:36.773][14:40:36][4868][3496][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s40/r4][OUR_AGENT_NAME][][][][OUR_REALM_NAME][OUR_DOMAIN_NAME][][][][][][][][][][][][][ATTR_UID=MYUSERNAME][Send response attribute 236, data size is 23]
[12/19/2017][14:40:36.773][14:40:36][4868][3496][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s40/r4][OUR_AGENT_NAME][][][][OUR_REALM_NAME][OUR_DOMAIN_NAME][][][][][][][][][][][][][ATTR_UID=MYUSERNAME][Send response attribute 224, data size is 23]

 

Bad Response Trace:
[12/19/2017][14:43:14.440][14:43:14][4868][4520][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s55/r4][OUR_AGENT_NAME][][][][OUR_REALM_NAME][OUR_DOMAIN_NAME][][][][][][][][][][][][][ATTR_UID=][Send response attribute 224, data size is 9]
[12/19/2017][14:43:14.440][14:43:14][4868][4520][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s55/r4][OUR_AGENT_NAME][][][][OUR_REALM_NAME][OUR_DOMAIN_NAME][][][][][][][][][][][][][ATTR_UID=MYUSERNAME][Send response attribute 236, data size is 23]

 

For some reason, the policy server returns two "versions" of the attribute response, or at least says it does in the trace, but one is returned empty.  I've submitted a case with CA on this issue.

 

Hopefully this helps someone out there.

Outcomes