HTTP Header Protection for a Proxy Mode Deployment at the Relying Party

CA SiteMinder® Federation Standalone Guide › Federation System Administration › Deployment Settings › HTTP Header Protection for a Proxy Mode Deployment at the Relying Party

HTTP Header Protection for a Proxy Mode Deployment at the Relying Party

In a proxy mode deployment at the relying party, CA SiteMinder® Federation Standalone passes identity attributes from the SAML assertion to backend applications using HTTP headers. In most cases, the headers are secure. However, if an unauthorized user knows an assertion attribute name they can set this name as a header in a browser and gain access to the target application. The target application sees an expected header value and grants access to the resource without CA SiteMinder® Federation Standalone consuming an assertion.

By specifying a value for the HTTP Header Prefix setting, you can protect against the following scenario:

An unauthorized user learns the names of HTTP headers. These header names include prefixes.
The malicious user sends an incoming request, including the headers, to CA SiteMinder® Federation Standalone.
CA SiteMinder® Federation Standalone recognizes that the headers containing prefixes come from an incoming request and are not generated internally so it removes these headers.
Before CA SiteMinder® Federation Standalone passes its own legitimate headers to the target application, it adds the specified prefix to each header and passes the headers to the target application.

To set the HTTP Header Prefix

Navigate to Infrastructure, Deployment Settings.
Enter any valid string as a prefix in the HTTP Header Prefix field.
You only see this field if you enabled Proxy Mode when installing CA SiteMinder® Federation Standalone.
Save your changes.