Administration Guide › Using CA SiteMinder® SPS with Federation Security Services › Cookieless Federation

Cookieless Federation

Certain devices or environments cannot use cookies to establish user session and provide single sign-on.

One type of session scheme you can use in a federated environment is a cookieless scheme. The cookieless federation scheme is used to establish single sign-on. Verify that FWS-generated cookies (session and attribute) are not sent back to clients using mobile devices that do not support cookies.

Cookieless Federation at the Producing Site

At the site producing assertions, the process for a cookieless transaction is as follows:

1. CA SiteMinder® SPS verifies if cookieless federation is enabled for the virtual host requesting the redirect.
2. CA SiteMinder® SPS verifies if the session scheme is a rewritable scheme, such as the simple_url scheme.
3. If the scheme is rewritable, CA SiteMinder® SPS determines whether a session key has been created for the session and if this key is available to use.
4. CA SiteMinder® SPS checks to see if the Location header in the HTTP response meets one of the following conditions:
   • It is being rewritten.
   • It is the same as the host of the request.
5. CA SiteMinder® SPS rewrites the redirect response to include the session key information in the redirected URL.

Cookieless Federation at the Consuming Site

At the site consuming assertions, if cookieless federation is enabled, CA SiteMinder® SPS replacing the Web Agent processes redirects using SAML authentication at the backend server.

In a cookieless federation, CA SiteMinder® SPS processes the request as follows:

1. CA SiteMinder® SPS receives a request from cookieless device, such as a mobile phone.
2. CA SiteMinder® SPS verifies if the cookieless federation is enabled for the virtual host requesting the redirect.
3. CA SiteMinder® SPS then checks to see if the following conditions have been met:
   • The response from the backend server is a redirect.
   • The response contains an SMSESSION cookie.

   If these two conditions are met at the same time, it indicates that a SAML authentication has occurred at the backend server from the FWS application.

4. CA SiteMinder® SPS retrieves the session scheme being used.
5. CA SiteMinder® SPS creates an associated cookieless session and adds the session information to its session store.
6. If the session scheme is rewritable, such as a simple URL session scheme, CA SiteMinder® SPS rewrites the location header with the session key.
7. If CA SiteMinder® SPS determines that a cookieless federated session conversion has occurred, CA SiteMinder® SPS deletes the SMSESSION cookie from the response going to the browser.
8. CA SiteMinder® SPS then checks to see if attribute cookies should also be deleted. It does this by checking the deleteallcookiesforfed parameter. If this parameter is set to yes, CA SiteMinder® SPS deletes all the other cookies from the response going to the browser.

Enable Cookieless Federation at the Consuming Side

When CA SiteMinder® SPS replaces the Web Agent at the side consuming assertions, the cookieless federation parameters are enabled for any cookieless session scheme implemented by CA SiteMinder® SPS.

To enable cookieless federation for CA SiteMinder® SPS at the consuming side

1. Open noodle.properties file from sps_home/secure-proxy/Tomcat/properties.
2. Remove the '#' from the following two lines, and save the file.
   • filter._cookielessfederation_.class=org.tigris.noodle.filters.CookielessFedFilter
   • filter._cookielessfederation_.order=1

   The settings are saved.

3. Open the server.conf file located at sps_home/secure-proxy/proxy-engine/conf.
4. Add the following code to the virtual host section for the virtual host that is serving the FWS:

   cookielessfederation="yes"

5. Save the file.

   CA SiteMinder® SPS is configured for cookieless federation at the consuming partner.