Federation Guides › Partnership Federation Guide › Open Format Cookie Details

Open Format Cookie Details

The federation open format cookie lets applications assert user attributes to SiteMinder and consume user attributes that SiteMinder encapsulates. The open format cookie has the following general characteristics:

• The cookie is accessible by applications written in any programming language.
• The cookie content consists of a string of UTF-8 bytes, which supports international character sets.
• The combined size in UTF-8 bytes of each name/value pair precedes the name/value pair.
• Space characters are added for legibility.
• The cookie is simple to parse and easily extensible.

Important! If the cookie contains any unsafe characters such as '=', enclose the value in double quotes. You can specify this option through the user interface, or through the SDK.

The open format cookie contains the following property information:

• Cookie Version
• Name ID
• Name ID Format
• Session ID
• AuthnContext
• UserDN (same as User ID)

The following diagram shows the open format:

Key:

• Ver — the cookie format version; for Federation Manager r12.1, this value is 1.
• Sp — an ASCII space character, used only to improve readability.
• Properties — information about the principal.
• Attributes — SAML attributes from the Assertion
• Cnt — the number of name value pairs that follow, represented in ASCII.
• Sz — the length of the name or value that follows
• ValCnt — the number of attribute values that follow. For Federation Manager r12.1, multiple values for an attribute are not supported. Set this value to 1.

The Backus-Naur Form (BNF) for this format is following (0* means 0 or more; 1* means at least 1).

• DIGIT = ASCII digit (0 through 9)
• CHAR = UTF-8 character
• Sp = ASCII space (character 32)
• Token = 1*CHAR
• Cookie = Version Sp Properties Attributes
• Version = 1*DIGIT
• Cnt = 1*DIGIT
• Properties = Cnt 1*PPair
• Attributes = Cnt 0*APair
• ValCnt = 1*DIGIT
• PPair = Sz Sp Name Sp Sz Sp Value
• APair = Sz Sp Name Sp ValCnt Sp Sz Sp Value
• Sz = 1*DIGIT
• Name = Token

Value = Token

Contents of the Open Format Cookie

The federation open format cookie lets applications assert user attributes to SiteMinder and consume user attributes that SiteMinder encapsulates. The open format cookie has the following general characteristics:

• The cookie is accessible by applications written in any programming language.
• The cookie content consists of a string of UTF-8 bytes, which supports international character sets.
• The combined size in UTF-8 bytes of each name/value pair precedes the name/value pair.
• Space characters are added for legibility.
• The cookie is simple to parse and easily extensible.

Important! If the cookie contains any unsafe characters such as '=', enclose the value in double quotes. You can specify this option through the user interface, or through the SDK.

The open format cookie contains the following property information:

• Cookie Version
• Name ID
• Name ID Format
• Session ID
• AuthnContext
• UserDN (same as User ID)

The following diagram shows the open format:

Key:

• Ver — the cookie format version; for Federation Manager r12.1, this value is 1.
• Sp — an ASCII space character, used only to improve readability.
• Properties — information about the principal.
• Attributes — SAML attributes from the Assertion
• Cnt — the number of name value pairs that follow, represented in ASCII.
• Sz — the length of the name or value that follows
• ValCnt — the number of attribute values that follow. For Federation Manager r12.1, multiple values for an attribute are not supported. Set this value to 1.

The Backus-Naur Form (BNF) for this format is following (0* means 0 or more; 1* means at least 1).

• DIGIT = ASCII digit (0 through 9)
• CHAR = UTF-8 character
• Sp = ASCII space (character 32)
• Token = 1*CHAR
• Cookie = Version Sp Properties Attributes
• Version = 1*DIGIT
• Cnt = 1*DIGIT
• Properties = Cnt 1*PPair
• Attributes = Cnt 0*APair
• ValCnt = 1*DIGIT
• PPair = Sz Sp Name Sp Sz Sp Value
• APair = Sz Sp Name Sp ValCnt Sp Sz Sp Value
• Sz = 1*DIGIT
• Name = Token
• Value = Token

Secure Proxy Engine Logs for Federation

Partnership-based federation contains a secure proxy engine that forwards traffic to backend servers. The secure proxy engine includes the following components:

• Apache Web Server

  Acts as the HTTP listener, handling HTTP traffic for incoming requests, and can handle HTTPS traffic, once properly configured.

• Tomcat server

  Provides a servlet container for the operation of the UI. The Apache web server communicates to the Tomcat server through a Tomcat connector named mod_jk.

You can supply CA Support with log files related to these components to troubleshoot problems in your partnership federation environment.

Two Apache logs that aid partnership federation troubleshooting are:

mod_jk.log

mod_jk.log is enabled by default with the product. After the first contact with the federation server, information begins logging to this file. The mod_jk.log file is located in federation_mgr_home\logs\fws.

To modify this log file:

1. Navigate to federation_mgr_home\secure-proxy\httpd\conf
2. Open the httpd.conf file.
3. Change the following lines

   JkLogFile "federation_mgr_home/logs/fws/mod_jk.log"
   

   JkLogLevel error
   

   To disable the mod_jk.log, comment out or remove these lines from the file.

httpclient.log

For debug purposes only, you can enable the httpclient.log. The httpclient.log file is located in federation_mgr_home\secure-proxy\proxy-engine\logs.

To modify this log file:

1. Navigate to federation_mgr_home\secure-proxy\proxy-engine\conf.
2. Open the server.conf file
3. Change the following line:

   httpclientlog="yes"
   

To modify the location of the httpclient.log file and the log level, edit the httpclientlogging.properties file. This file is in the directory federation_mgr_home\secure-proxy\Tomcat\properties.