Hi CA community,
As the lack of SameSite cookie attribute starts becoming security findings by penetration testers, CA SSO should support this attribute as well. Currently even if protected applications create cookies with the the SameSite=strict attribute, Access Gateway actually strips it away. I had a hard time pacifying customer as to why CA security product removes application security protocols.
For now, via suggestion from CA support, we make do with using the following in httpd.conf of Access Gateway.
Header edit Set-Cookie ^(.*)$ "$1;SameSite=Strict"
will need to experiment with the regex so that we can have better control.
would be good if this can be part of ACO, like UseHTTPOnly and UseSecureCookies attributes.
After lodging a case, it is deem as an enhancement request and not a bug fix... So please enhance it.
Best regards,
Zen