To set up your single sign-on environment, use the following process:
If you set the timeout parameters without requiring cookies, the Web Agent functions normally; however, it cannot enforce the timeouts. If the Web Agent requires cookies but the user’s browser does not accept them, the user will be denied access to all protected resources.
Note: For more information, see the Policy Server documentation.
If you set this parameter to no, the cookies last for only one browser session.
http://server.domain:port/siteminderagent/SmMakeCookie.ccc
where server.domain:port is the fully qualified domain name of the Web Server where the Web Agent acting as the cookie provider resides, such as myserver.mysite.com. The cookie provider name must have a .ccc extension.
You can control whether SiteMinder requires cookies with the following parameter:
Specifies whether SiteMinder requires cookies. SiteMinder requires cookies for the following functions:
When the value of this parameter is yes, the agent requires one of the following cookies to process HTTP requests:
When the value of this parameter is no, the following conditions could occur:
Important! If the agent requires cookies, instruct your users to accept HTTP cookies in their browsers. Otherwise, the users are denied access to all protected resources.
Default: Yes
To require cookies, set the value of the RequireCookies parameter to yes.
If you want to use single sign-on for multiple browser sessions, use persistent cookies. The following steps describe one possible use for persistent cookies:
Persistent cookies remain valid for the configured maximum session time-out plus seven days. Many browsers delete the cookie file of the web browser after the cookie expires. Some browsers possibly handle persistent cookies differently.
Follow these steps:
The SMSESSION cookies are persistent.
The SMIDENTITY cookies are persistent.
The CookieDomain parameter defines the cookie domain of the server where you installed the agent. You can modify the domain by setting the following parameter:
Defines the cookie domain of the agent. Use a fully qualified domain name with at least two periods. For example, the setting .example.com cookie domain matches the following servers:
All web servers in this domain can exchange cookies with a browser. Servers in the same cookie domain use cookies to verify the credentials of a user.
When the parameter value is none, the agent generates cookies only for its own server. For example, myserver.example.com.
If the value is blank (or contains "" in a local configuration file), the agent uses the domain information in the HTTP_HOST header. The agent then bases the value using the setting in the CookieDomainScope parameter.
Default: Empty
Example: .example.com
Limits: This value is case-sensitive. This value requires a fully qualified domain name with at least two periods, as shown in the previous example.
Note: This value is case-sensitive.
Follow these steps:
Specifies the number of sections (characters with periods between them) in the domain name.
When the value is set to 0, the default, the agent chooses the most specific cookie domain for the host without making a server-only cookie. This means that the cookie domain myserver.example.com yields a domain of example.com, and myserver.metals.example.org yields a domain of .metals.example.org.
If the CookieDomainScope parameter is set to 2, the cookie domain would be .example.com and .example.org respectively.
Default: 0
Example: Suppose that your cookie domain is division.example.com. To set the scope of the cookie domain for server.division.example.com, set the value of the CookieDomainScope parameter to 3.
To have the other agents in your SSO environment use a cookie provider, specify the location of the agent that is acting as a cookie provider with the following parameter:
Specifies the URL of the web server where the agent that is acting as the cookie provider resides.
A cookie provider is an agent in a single sign-on environment. The cookie provider sets a browser cookie for the local domain in which it exists. After this cookie is set, users can navigate throughout the single sign-on environment without reauthenticating.
The cookie provider name requires a .ccc extension, as shown in the following examples:
http://server.domain:port/siteminderagent/SmMakeCookie.ccc
http://server.domain:port/SmMakeCookie.ccc
This parameter also affects the following parameters:
Default: No default
Example: (IIS, Oracle iPlanet, and Domino web servers) http://server1.example.com:80/siteminderagent/SmMakeCookie.ccc
Example: (Apache and Apache-based web servers) http://server1.example.com:80/SmMakeCookie.ccc
Limits: This parameter requires a fully qualified domain name.
Follow these steps:
The cookie provider is specified.
You can specify how often the Web Agent redirects a request to the Cookie Provider to set a new cookie with the following parameter:
Specifies how often (in seconds) a Web Agent redirects a request to the Cookie Provider to set a new cookie. Refreshing the master cookie decreases the possibility that it will expire due to an idle time-out of the SiteMinder session.
Default: 60
To modify the session update period
The session update period is changed.
Session cookies are stored on the client computer of the end user. You can increase the security of your environment by having SiteMinder create session cookies that are stored in the SiteMinder session store. Storing session cookies in the SiteMinder session store prevents anyone with access to the following items from copying a session cookie from a client computer and then attempting a replay attack:
You can control where SiteMinder stores its session cookies by setting the following parameter:
Specifies whether session cookies are stored on the client computer, or in the SiteMinder session store. When the value of the StoreSessioninServer parameter is yes, a session cookie is created and stored on the session store. Cookie providers and Web Agents access the cookie from the session store.
Cookie providers and Web Agents replace the session cookie in a URL with a GUID that corresponds to the session cookie stored on the session store.
When the value of the StoreSessioninServer parameter is no, the session cookie is passed directly in the URL.
Default: No
Follow these steps:
You can reduce the risk that unauthorized users may hijack and attempt to reuse SiteMinder session cookies by having SiteMinder validate the domain of a session cookie with the following parameter:
Instructs the Web Agent to encrypt and store the intended domain of a session cookie within the session cookie itself. During subsequent requests, the Web Agent compares the intended domain stored within the session cookie against the domain of the requested resource. If the domains do not match, the Web Agent rejects the request.
For example, when the value of this parameter is set to yes, session cookies intended for operations.example.com are rejected when presented at finance.example.com.
In SiteMinder environments using SSO, set this parameter on the Web Agent that creates the encrypted session cookie. For example, suppose your SSO environment has domains named a.example.com and b.example.com. If the Web Agent protecting a.example.com encrypts the session cookie, set the value of the TrackSessionDomain parameter of the associated Web Agent. When the Web Agent protecting b.example.com receives the cookie, it compares the intended domain stored in the cookie against the domain of the requested resource.
Default: No
To have SiteMinder validate the domain of a session cookie, set the value of the TrackSessionDomain parameter to yes.
Some Web applications, such as Microsoft Outlook Web Access, make HTTP requests behind the scenes even when a user is not actively using the application. For example, the Web Access application makes HTTP requests even when the user is not actively checking for new email on the server.
These requests may update the SMSESSION cookie so that the session never expires, even though the user has been idle. You can prevent the Web Agent from creating or updating session cookies during these background requests so that sessions expire normally.
Configure the following parameters:
Specifies whether the Web Agent compares the request method of all HTTP requests against the methods listed in this parameter. If a match occurs, the Web Agent does not create or update an SMSESSION cookie. Also, cookie providers (if configured) are not updated for that request.
Default: No default
Specifies whether the Web Agent compares the URLs from all HTTP requests against the URLs listed in this parameter. If a match occurs, the Web Agent does not create or update an SMSESSION cookie. Also, cookie providers (if configured) are not updated for that request.
Default: No default
Example: Use a relative URL, such as /MyDocuments/index.html. Do not use an absolute URL (http://fqdn.host/MyDocuments/index.html)
Note: If you configure both of the previous parameters, the methods are processed before the URLs.
If enabled, the Web Agent does not create cookies for any of the URLs under the directory that is specified in OverlookSessionForUrls.
Default: No
Values: Yes, No
Example: If you specify /siteminder in OverlookSessionForUrls and if you set OverlookSessionAsPattern to Yes, then cookies are not generated for any /siteminder/* requests.
Some Web applications, such as Microsoft Outlook Web Access, make HTTP requests behind the scenes even when a user is not actively using the application. For example, the Web Access application makes HTTP requests even when the user is not actively checking for new email on the server.
These requests update the SMSESSION cookie so that the session never expires, even though the user has been idle. You can prevent the Web Agent from creating or updating session cookies during these background requests so that sessions expire typically.
To prevent creation or updates based on method and URI
Specifies whether the Web Agent compares the request method of all HTTP requests against the methods listed in this parameter. If a match occurs, the Web Agent does not create or update an SMSESSION cookie. Also, cookie providers (if configured) are not updated for that request.
Default: No default
Specifies whether the Web Agent compares the method and the URI from all HTTP requests against the method and URI listed in this parameter. If a match occurs, the Web Agent does not create or update an SMSESSION cookie. Cookie providers (if configured) are not updated for that request.
Default: No default.
Limits: Specify a relative URI
Example: POST, /directory/file prevents updates to the SMSESSION cookie for POST requests to /directory/resource.
Note: Methods are processed before URIs.
You can specify that session cookies are only sent between a protected web server and the requesting browser over secure (HTTPS) connections using the following parameter:
Sends cookies to web servers using secure (HTTPS) connections. Enable this parameter to increase security between browsers and web servers.
When this setting is enabled, users in single sign-on environments who move from an SSL web server to a non-SSL web server will have to reauthenticate. Secure cookies cannot be passed over traditional HTTP connections.
Default: No
To send cookies over SSL connections, set the UseSecureCookies parameter to yes.
Setting the UseSecureCookies parameter configures a Web Agent to only return a local cookie to a requesting browser session if the connection between them is secure (HTTPS); if the Web Agent is also configured as a cookie provider, UseSecureCookies does not apply to redirected requests for access to resources in other cookie domains.
To configure a Web Agent acting as a cookie provider to only return cookies to a Web Agent in another cookie domain if that Web Agent is also configured to use secure cookies, you must enable UseSecureCookies and also configure the following parameter:
If UseSecureCPCookies is set to Yes, the cookie provider will only send a cookie to a Web Agent in another cookie domain that is also configured to use secure cookies (that is, UseSecureCookies is enabled).
When this setting and UseSecureCookies are both enabled, users in a multiple domain single sign-on environment who move from an SSL web server to a non-SSL web server in another cookie domain will have to reauthenticate. Secure cookies cannot be passed over traditional HTTP connections.
Default: No
To send cookies over SSL connections across multiple domains, set the UseSecureCookies and UseSecureCPCookies to yes on the cookie provider.
The TransientIDCookies parameter specifies whether or not the Agent identity cookie (SMIDENTITY) is transient or persistent.
Persistent cookies are written to a client system’s hard disk. Prior to Web Agent 5.x QMR1, persistent cookies remained valid for 7 days. Beginning with Web Agent 5.x QMR1, persistent cookies remain valid for the configured maximum session timeout plus 7 days. (The maximum session timeout is set in the Administrative UI.) Typically, a persistent cookie is deleted from a Web browser’s cookie file after the cookie expires; however, browsers may handle persistent cookies differently. By default, the Web Agent does not use persistent cookies. It uses transient cookies.
If you want to use single sign-on for multiple browser sessions, use persistent cookies. If you set persistent cookies, a user can end their browser session before a SiteMinder session expires then start a new browser session and still have single sign-on capability.
Whereas persistent cookies are written to a hard disk, transient cookies are not written to the hard disk and they are not subject to configured session time-outs. Transient cookies will remain in your cookie folder.
Set TransientIDCookies to no, if you want the identity cookie to be persistent. Leave the default value set to yes, if you want the identity cookie to be transient.
Be sure to set the corresponding IP Check.
Web pages usually consist of many resources, all of which are potentially protected by the Web Agent. For each resource associated with a single request, a session cookie is generated. To eliminate the overhead of generating multiple session cookies for a single user request, set the following parameter:
Specifies the number of seconds during which a SiteMinder session (SMSESSION) cookie will not be regenerated. Cookies are not regenerated when all of the following conditions are met:
Default: 30
To modify the session grace period
The session grace period is changed.
Note: Session timeouts are part of configuring a realm, which you do using the Administrative UI. For further instructions on configuring session timeouts, see the Policy Server documentation.
|
Copyright © 2012 CA.
All rights reserved.
|
|