CA SiteMinder® Federation Standalone Guide › Delegated Authentication › How the Third Party WAM Passes the User Identity › Cookie Method for Passing User Identity

Cookie Method for Passing User Identity

CA SiteMinder® Federation Standalone can use a legacy or open format cookie to pass a user identity. The cookie contains a user login ID as one of its values.

Note: If you configure delegated authentication for use with the CA SiteMinder® Federation Standalone Agent for Windows Authentication, the Agent requires the use of the open format cookie. However, if the CA SiteMinder® Connector is also configured, the open format cookie option for delegated authentication is not available. The CA SiteMinder® Federation Standalone Windows Agent and the CA SiteMinder® Connector cannot coexist in a deployment.

Authentication can begin at the WAM system or at CA SiteMinder® Federation Standalone. If authentication begins at CA SiteMinder® Federation Standalone, it redirects the user to the WAM system, where the authentication process is the same as if it began at the WAM system.

The delegated authentication process is as follows:

1. An authentication request comes into to the third-party WAM system.
2. The user is authenticated.
3. The third-party WAM system obtains a cookie in one of two ways:
   • The WAM system uses the CA SiteMinder® Federation Standalone SDK to create a legacy cookie or an open format cookie. The SDK creates the cookie and sends it back in a request to the WAM system.

     Note: To create an open format cookie that is FIPS-encrypted, use a CA SiteMinder® Federation Standalone SDK.

     The third-party WAM application must use the same language as the SDK that it is using to create a cookie. If you are using the CA SiteMinder® Federation Standalone Java SDK, the third-party WAM application must be in Java. If you are using the .NET SDK, the third-party WAM application must support .NET.

   • The WAM system uses a manually created open format cookie.

     You can create an open format cookie without using a CA SiteMinder® Federation Standalone SDK. To create the open format cookie cookie manually, use any programming language that supports UTF-8 encoding and any of the following PBE encryption algorithms that CA SiteMinder® Federation Standalone uses for password-based encryption:

     • PBE/SHA1/AES/CBC/PKCS12PBE-1000-128
     • PBE/SHA1/AES/CBC/PKCS12PBE-1000-192
     • PBE/SHA1/AES/CBC/PKCS12PBE-1000-256
     • PBE/SHA256/AES/CBC/PKCS12PBE-1000-128
     • PBE/SHA256/AES/CBC/PKCS12PBE-1000-192
     • PBE/SHA256/AES/CBC/PKCS12PBE-1000-256
     • PBE/SHA1/3DES_EDE/CBC/PKCS12PBE-1000-3
     • PBE/SHA256/3DES_EDE/CBC/PKCS12PBE-1000-3

     You must also be sure that the open format cookie gets set in the user's browser.

     To write a complete cookie, review the details about the contents of the open format cookie.

   Note: The WAM system and CA SiteMinder® Federation Standalone must be in the same cookie domain.

4. The WAM system redirects the browser to CA SiteMinder® Federation Standalone.
5. CA SiteMinder® Federation Standalone extracts the login ID from the cookie then locates the user in its user directory.
6. CA SiteMinder® Federation Standalone creates a CA SiteMinder® Federation Standalone session.
7. After the session is created, federated communication with the relying party proceeds.

The following picture shows the cookie method when authentication is initiated at the third-party WAM.

Important! To use the legacy cookie or an SDK-created open format cookie, the third party must install a CA SiteMinder® Federation Standalone SDK. The SDK is a separately installed component from CA SiteMinder® Federation Standalone. The installation kit contains the documentation that describes how to use the SDK for delegated authentication.