A session scheme determines how a user identity is maintained and provides single sign-on during a session.
CA SiteMinder® SPS provides the following out-of-the-box session schemes that you can configure:
You can create custom session schemes too. You can define multiple session schemes. You can associate session schemes with user agent types for each configured virtual host, and create a session scheme mapping. Each session scheme must be associated with a Java class file that defines the session behavior. If you do not define a session scheme for a user agent, the default session scheme is used.
The following table illustrates the scenarios in which each session scheme is used. The session schemes are based on the sensitivity of resources on a virtual host.
Session Scheme |
Security Level |
Recommendation |
---|---|---|
SSL Session ID |
High |
This scheme provides a clean and highly secure means of holding user sessions. Although the most secure of the available schemes, it is limited in scalability. All content must be served over SSL and the user must continue to access the same CA SiteMinder® SPS server for the session to persist. Also, some browsers (some versions of IE), by default, terminate the SSL session after 2 minutes. This scheme is ideal for intranet and extranet applications with high security needs. |
SiteMinder Cookies |
Medium or High |
This scheme is the traditional SiteMinder session mechanism, which has proven highly secure in many enterprise deployments. For maximum security, the WebAgent SecureCookie setting are set to "Yes". |
IP Address |
Low |
This scheme is only for applications where users are retrieving information (with HTTP GET) from protected resources and not sending (with HTTP POST) information to a secure application. An example of an appropriate application would be an online library. An example of an in-appropriate application would be a bond trading application. |
Mini-Cookies |
Medium or High |
This scheme is ideal for applications where user clients accept cookies but are accessing the application over connections of limited speed and bandwidth. For maximum security, the WebAgent SecureCookie setting is set to "Yes". |
Simple URL Rewriting |
Medium |
This scheme is ideal for environments that do not support or want to use cookies. |
Device ID |
Medium |
This scheme is designed for wireless environments where a device ID is sent with every client request to identify a user. |
The default session scheme is the scheme that CA SiteMinder® SPS uses to establish and maintain user sessions when no other scheme is specified for a user agent type. You must configure a default session scheme. You can configure the default session scheme to use any available session scheme.
You can configure the default session scheme manually or using Administrative UI.
To configure manually, perform the following steps:
Indicates the Java class that contains the default session scheme.
Default: com.netegrity.proxy.session.SSLIdSessionScheme
Indicates that if a user agent type is associated with the SiteMinder cookies session scheme, users that access resources through the user agent type maintain session using traditional CA SiteMinder® cookies. CA SiteMinder® uses cookies to track sessions so a cookies scheme is supported by CA SiteMinder® SPS. Select the option to let the session scheme accept the SMSESSION cookies.
To configure using Administrative UI, perform the following steps:
Indicates the Java class that contains the default session scheme.
Default: com.netegrity.proxy.session.SSLIdSessionScheme
Indicates that if a user agent type is associated with the SiteMinder cookies session scheme, users that access resources through the user agent type maintain session using traditional CA SiteMinder® cookies. CA SiteMinder® uses cookies to track sessions so a cookies scheme is supported by CA SiteMinder® SPS. Select the option to let the session scheme accept the SMSESSION cookies.
A secure sockets layer (SSL) connection includes a unique ID that is created when an SSL connection is initiated. CA SiteMinder® SPS can use the unique ID as a token to refer to the session information of a user that is maintained in the in-memory session store. This scheme eliminates cookies as a mechanism for maintaining a user session. SSL ID session schemes can be supported using the Java classes that are packaged with CA SiteMinder® SPS.
Important! The limitation of the scheme is that the initial contact with CA SiteMinder® SPS establishes an SSL session ID. If a user SSL session is interrupted, a new SSL connection is established. The user must be re-authenticated and re-authorized because the new SSL connection connects to a new server though it is a virtual server on the same system. Also, forms that are used by HTML Forms Authentication Schemes must be served from the same host name as the protected resource.
You can configure the settings manually or using Administrative UI.
To configure the settings manually, perform the following steps:
Specifies the Java class that handles SSL ID session schemes.
Default: com.netegrity.proxy.session.SSLIdSessionScheme
Specifies if SMSESSION cookies are accepted.
To configure using Administrative UI, perform the following steps:
Specifies the Java class that handles SSL ID session schemes.
Default: com.netegrity.proxy.session.SSLIdSessionScheme
Specifies if SMSESSION cookies are accepted.
You must enable SSL in the httpd.conf file of the Apache Web Server to configure the SSL ID session scheme. To modify httpd.conf, perform the following steps:
#SSLOptions +StdEnvVars +ExportCertData +CompatEnvVars
SSLOptions +StdEnvVars +ExportCertData
In environments where IP addresses are fixed, you can use an IP address to refer to a user session information in the session store. This scheme eliminates cookies but may only be used in environments where a user is assigned a fixed IP address.
The mini-cookies session scheme stores session information in the CA SiteMinder® SPS in-memory session store and creates a cookie that contains an encrypted token that the CA SiteMinder® SPS returns to the user. The mini-cookie is a fraction of the size of a standard SiteMinder cookie and thus decreases the cost of access for devices such as wireless phoness. It provides an alternative for standard SiteMinder cookies.
You can configure the settings manually or using Administrative UI.
To configure the settings manually, perform the following steps:
Specifies the Java class that handles the session scheme. If you want to use the default mini-cookies session scheme, do not modify the value.
Default: com.netegrity.proxy.session.MiniCookieSessionScheme
Specifies if SMSESSION cookies are accepted.
Defines the name of the mini-cookie that contains the token for the user session.
Note: This name is not configured using the same value for all the CA SiteMinder® SPS instances that provide single sign-on.
To configure using Administrative UI, perform the following steps:
Specifies the Java class that handles the session scheme. If you want to use the default mini-cookies session scheme, do not modify the value.
Default: com.netegrity.proxy.session.MiniCookieSessionScheme
Specifies if SMSESSION cookies are accepted.
Defines the name of the mini-cookie that contains the token for the user session.
Note: This name is not configured using the same value for all the CA SiteMinder® SPS instances that provide single sign-on.
Simple URL rewriting appends a token to the requested URL and tracks a user session. The token is used to retrieve session information from the in-memory session store.
The simple_url schemes support simple URL rewriting that can be accomplished without any custom work.
Note: The CGI-based and FCC-based password schemes are supported with the simple_url session scheme.
Example
A user accesses a host and the user session is established through the simple URL rewriting session scheme. An initial request can look like the following example:
http://banking.company.com/index.html
If the user provides appropriate credentials and is authenticated and authorized, the URL requested by the user is rewritten and returned to the user in a form similar to the following:
http://banking.company.com/SMID=nnnnnnnnnn/index.html
nnnnnnnnnn
Represents a hashed, randomly generated token that CA SiteMinder® SPS uses to identify the user session.
Important! For the simple URL rewriting session scheme to work, any links defined in the enterprise must be relative links. If the links are absolute, the simple URL rewriting scheme fails. Also, the token that CA SiteMinder® SPS appends to a URL is stripped from the URL when the request is forwarded. The token is appended only at the CA SiteMinder® SPS interaction level so that it does not interfere with back-end server processing.
You can configure manually or using Administrative UI.
To configure manually, perform the following steps:
Specifies the Java class that defines the session scheme. This directive is not modified when you want to use the cookieless rewriting session scheme.
Default: com.netegrity.proxy.session.SimpleURLSessionScheme
Indicates whether SMSESSION cookies are accepted.
Specifies the SiteMinder ID (SMID) session identifier.
To configure using Administrative UI, perform the following steps:
Specifies the Java class that handles the session scheme. If you want to use the cookieless rewriting session scheme session scheme, do not modify the value.
Default: com.netegrity.proxy.session.SimpleURLSessionScheme
Specifies if SMSESSION cookies are accepted.
Specifies the SiteMinder ID (SMID) session identifier.
Configure cookieless federation to let CA SiteMinder® SPS use rewritable session schemes such as simple URL session scheme in a federated environment.
Note: When a cookieless federation transaction is being processed by the CA SiteMinder® SPS federation gateway and the simple_url session scheme is used, the SMID is added to the request as a query parameter instead of appending to the URI.
Follow these steps:
cookielessfederation="yes"
Note: No separate post filter, such as the CookielessFedFilter needs to be enabled for the CA SiteMinder® SPS federation gateway. This functionality is provided out-of-the-box when you enable the federation gateway functionality. You have to enable this post filter when the CA SiteMinder® SPS is not acting as a federation gateway.
If you deploy CA SiteMinder® SPS in a federated environment, one of the session schemes you can use at the site that is producing assertions is a simple URL session scheme. If you use this scheme, you may be required to rewrite the links that direct the user to the appropriate site so that the session key is added to the link. In SiteMinder documentation, these links for SAML 1.x are called intersite transfer URLs. For SAML 2.0, these links are referred to as an unsolicited response or an AuthnRequest link.
For rewriting the links so that the session key information is added to the base of the URLs, a sample post filter, RewriteLinksPostFilter, is provided along with the CA SiteMinder® SPS filter examples. This filter can be compiled and be attached to the appropriate proxy rule, which handles the forwards to the intersite transfer URL, unsolicited response, or AuthnRequest.
The RewriteLinksPostFilter provided with the CA SiteMinder® SPS is a sample filter. You must configure the filter to suit your requirements.
Note: If you use the simple_url session scheme for transactions involving the CA SiteMinder® SPS federation gateway, the session key (SMID) gets added to the request as a query parameter instead of being appended to the URI. However, the SMID gets added to the URI when the final target resource is accessed at the back-end server.
Some wireless devices have a unique device identification number. This number is sent as a header variable with any requests for resources. CA SiteMinder® SPS can use this device ID as a token to refer to session information in the session store.
You can configure the settings manually or using Administrative UI.
To configure manually, perform the following steps:
Specifies the Java class that handles the session scheme.
Default: com.netegrity.proxy.session.DeviceIdSessionScheme
Specifies if SMSESSION cookies are accepted.
Defines the vendor specific device ID.
To configure using Administrative UI, perform the following steps:
Specifies the Java class that handles the session scheme.
Default: com.netegrity.proxy.session.DeviceIdSessionScheme
Specifies if SMSESSION cookies are accepted.
Defines the vendor specific device ID.
Copyright © 2014 CA Technologies.
All rights reserved.
|
|