Previous Topic: Change How Often an Agent Checks for Policy or Key UpdatesNext Topic: Help Prevent Attacks


User Tracking and URL Monitoring

CA SiteMinder® agents can track users and can monitor URLs using the parameters described in the following procedures:

Track User Identity Across Anonymous Realms

When an anonymous user accesses resources, that user is assigned an SMIDENTITY (anonymous) cookie. When the user moves to another domain, the user is challenged, logs in successfully, and is assigned an SMSESSION (logged in) cookie.

As this user accesses protected and "anonymous" resources, that is, resources in a realm that do not require a user to present credentials, the user may enter a domain that contains both cookies for a user. For resources protected by Web Agents starting at 5.x QMR 3 , the Web Agent uses the SMSESSION cookie to identify the user, not the SMIDENTITY cookie.

If the user goes from a thoroughly upgraded domain to a domain where older Agents use the SMIDENTITY cookie to identify the user, the cookie used depends on the version of the Web Agent handling the request.

Regarding separate cookie domains, when a master cookie domain contains protected resources and a second domain contains anonymous resources, a user who does the following tasks continues to be treated as an anonymous user in the anonymous domain:

  1. Accesses the anonymous domain first
  2. Moves to the master domain and logs in
  3. Moves back to the anonymous domain
Track User Activities or Application Usage with Auditing

You can you can measure how often applications on your web site are used, or track user activities with auditing. Auditing is controlled with the following parameter:

EnableAuditing

Specifies whether the Web Agent logs all successful authorizations that are stored in the user session cache. When enabled, user authorizations are logged even when the Web Agent uses information from its cache instead of contacting the Policy Server. Web Agents log user names and access information in native web server log files when users access resources.

Default: No

Both the Policy Server and Web Agent audit user activity. The Web Agent sends a message to the Accounting service each time a user is authorized from cache to access resources. This action ensures that the Accounting service is tracking successful authorizations for the Web Agent and the Policy Server. If the Web Agent cannot successfully send an audit message to the Accounting service for an authorization, access to the resource is denied. You can then run a CA SiteMinder® activity report from the Administrative UI. The reports from the Policy Server show user activity for each CA SiteMinder® session.

Note: For more information, see the Policy Server documentation.

To track user activity or application usage with auditing, set the value of the EnableAuditing parameter to yes.

URL Monitoring Overview

The Web Agent can prevent attacks by malicious users trying to halt normal operation of a Web site or circumvent a site’s security mechanisms to gain illegal access to information.

The Web Agent monitors URLs in resource requests and enforces the security policies for these resources. CA SiteMinder® Web Agents interpret and parse URLs differently from the web servers where the resources reside. These differences can result in subtle performance and security issues that potentially allow unauthorized users to gain access to resources. You need to consider these issues in the design of your Web site and the configuration of the CA SiteMinder® Web Agent.