Previous Topic: Single Sign-On Across Multiple Cookie DomainsNext Topic: Set a Time-out for Saved Credentials


How to Configure Single Sign-On

To set up your single sign-on environment, use the following process:

  1. Decide which cookie domains comprise the single sign-on environment.
  2. Decide which cookie domain within the single sign-on environment will be the cookie provider domain.
  3. Access the Agent Configuration Object (using the Administrative UI) or open the Web Agent configuration file (on your web server), and modify the parameters in the following steps:
    1. Set the RequireCookies parameter to yes.

      If you set the timeout parameters without requiring cookies, the Web Agent functions normally; however, it cannot enforce the timeouts. If the Web Agent requires cookies but the user’s browser does not accept them, the user will be denied access to all protected resources.

      Note: For more information, see the Policy Server documentation.

    2. If you want the cookies to last until the configured session timeout, set the PersistentCookies parameter to yes.

      If you set this parameter to no, the cookies last for only one browser session.

    3. For the CookieDomain parameter, verify that this is the local cookie domain of the system on which the Web Agent is installed, such as .mycompany.com. Modify the domain, if necessary. This value is case-sensitive.
    4. Set the CookieProvider parameter to the cookie provider domain using the appropriate syntax as follows:

      http://server.domain:port/siteminderagent/SmMakeCookie.ccc

      where server.domain:port is the fully qualified domain name of the Web Server where the Web Agent acting as the cookie provider resides, such as myserver.mysite.com. The cookie provider name must have a .ccc extension.

    5. Make sure the cookie provider is configured with the proper associated MIME type (.ccc).
    6. Enable the proper type IP checking (to compare IP addresses) if you enabled persistent or transient cookies.
  4. (Optional) Modify any other single sign-on settings.
  5. If you edited parameters by modifying the Web Agent configuration file, restart the web server, so that the changes take effect.

More Information

Configure MIME Types for Each Credential Collector

Compare IP Addresses to Prevent Security Breaches

Require Cookies for Basic Authentication

You can control whether SiteMinder requires cookies with the following parameter:

RequireCookies

Specifies whether SiteMinder requires cookies. SiteMinder requires cookies for the following functions:

When the value of this parameter is yes, the agent requires one of the following cookies to process HTTP requests:

When the value of this parameter is no, the following conditions could occur:

Important! If the agent requires cookies, instruct your users to accept HTTP cookies in their browsers. Otherwise, the users are denied access to all protected resources.

Default: Yes

To require cookies, set the value of the RequireCookies parameter to yes.

Set Persistent Cookies

If you want to use single sign-on for multiple browser sessions, use persistent cookies. The following steps describe one possible use for persistent cookies:

  1. Users authenticate with SiteMinder, but end their browser sessions before the SiteMinder session expires.
  2. Users start new browser sessions later, but the persistent cookie maintains their single-sign on capability.

Persistent cookies remain valid for the configured maximum session time-out plus seven days. Many browsers delete the cookie file of the web browser after the cookie expires. Some browsers possibly handle persistent cookies differently.

Follow these steps:

  1. Set the PersistentCookies parameter to yes.

    The SMSESSION cookies are persistent.

  2. Set the TransientIDCookies parameter to no.

    The SMIDENTITY cookies are persistent.

Specify the Cookie Domain

The CookieDomain parameter defines the cookie domain of the server where you installed the agent. You can modify the domain by setting the following parameter:

CookieDomain

Defines the cookie domain of the agent. Use a fully qualified domain name with at least two periods. For example, the setting .example.com cookie domain matches the following servers:

All web servers in this domain can exchange cookies with a browser. Servers in the same cookie domain use cookies to verify the credentials of a user.

When the parameter value is none, the agent generates cookies only for its own server. For example, myserver.example.com.

If the value is blank (or contains "" in a local configuration file), the agent uses the domain information in the HTTP_HOST header. The agent then bases the value using the setting in the CookieDomainScope parameter.

Default: Empty

Example: .example.com

Limits: This value is case-sensitive. This value requires a fully qualified domain name with at least two periods, as shown in the previous example.

Note: This value is case-sensitive.

Follow these steps:

  1. Set the value of the CookieDomain parameter.
  2. (Optional) Set the value of the CookieDomainScope parameter.
    CookieDomainScope

    Specifies the number of sections (characters with periods between them) in the domain name.

    When the value is set to 0, the default, the agent chooses the most specific cookie domain for the host without making a server-only cookie. This means that the cookie domain myserver.example.com yields a domain of example.com, and myserver.metals.example.org yields a domain of .metals.example.org.

    If the CookieDomainScope parameter is set to 2, the cookie domain would be .example.com and .example.org respectively.

    Default: 0

    Example: Suppose that your cookie domain is division.example.com. To set the scope of the cookie domain for server.division.example.com, set the value of the CookieDomainScope parameter to 3.

Specify the Cookie Provider

To have the other agents in your SSO environment use a cookie provider, specify the location of the agent that is acting as a cookie provider with the following parameter:

CookieProvider

Specifies the URL of the web server where the agent that is acting as the cookie provider resides.

A cookie provider is an agent in a single sign-on environment. The cookie provider sets a browser cookie for the local domain in which it exists. After this cookie is set, users can navigate throughout the single sign-on environment without reauthenticating.

The cookie provider name requires a .ccc extension, as shown in the following examples:

This parameter also affects the following parameters:

Default: No default

Example: (IIS, Oracle iPlanet, and Domino web servers) http://server1.example.com:80/siteminderagent/SmMakeCookie.ccc

Example: (Apache and Apache-based web servers) http://server1.example.com:80/SmMakeCookie.ccc

Limits: This parameter requires a fully qualified domain name.

Follow these steps:

  1. Set the CookieProvider parameter to the URL of the web server that is acting as a cookie provider.
  2. Verify that the value of the CCCExt parameter is set to .ccc
  3. Add the .ccc extension to the values in the IgnoreExt parameter.
  4. (Optional) Modify the session update period.
  5. Repeat Steps 1 through 4 on all web agents in your SSO environment that are not cookie providers.

    The cookie provider is specified.

More Information

Configure MIME Types for Each Credential Collector

Modify the Session Update Period

You can specify how often the Web Agent redirects a request to the Cookie Provider to set a new cookie with the following parameter:

SessionUpdatePeriod

Specifies how often (in seconds) a Web Agent redirects a request to the Cookie Provider to set a new cookie. Refreshing the master cookie decreases the possibility that it will expire due to an idle time-out of the SiteMinder session.

Default: 60

To modify the session update period

  1. Make sure the CookieProvider parameter is defined.
  2. Change the number of seconds in the SessionUpdatePeriod parameter to reflect the interval you want.

    The session update period is changed.

Store Session Cookies on the Session Store for Improved Security

Session cookies are stored on the client computer of the end user. You can increase the security of your environment by having SiteMinder create session cookies that are stored in the SiteMinder session store. Storing session cookies in the SiteMinder session store prevents anyone with access to the following items from copying a session cookie from a client computer and then attempting a replay attack:

You can control where SiteMinder stores its session cookies by setting the following parameter:

StoreSessioninServer

Specifies whether session cookies are stored on the client computer, or in the SiteMinder session store. When the value of the StoreSessioninServer parameter is yes, a session cookie is created and stored on the session store. Cookie providers and Web Agents access the cookie from the session store.

Cookie providers and Web Agents replace the session cookie in a URL with a GUID that corresponds to the session cookie stored on the session store.

When the value of the StoreSessioninServer parameter is no, the session cookie is passed directly in the URL.

Default: No

Follow these steps:

  1. Verify that your environment meets the following conditions:
  2. In your Web Agents and cookie provider, set the value of the StoreSessioninServer parameter to yes.
Validate a Session Cookie Domain

You can reduce the risk that unauthorized users may hijack and attempt to reuse SiteMinder session cookies by having SiteMinder validate the domain of a session cookie with the following parameter:

TrackSessionDomain

Instructs the Web Agent to encrypt and store the intended domain of a session cookie within the session cookie itself. During subsequent requests, the Web Agent compares the intended domain stored within the session cookie against the domain of the requested resource. If the domains do not match, the Web Agent rejects the request.

For example, when the value of this parameter is set to yes, session cookies intended for operations.example.com are rejected when presented at finance.example.com.

In SiteMinder environments using SSO, set this parameter on the Web Agent that creates the encrypted session cookie. For example, suppose your SSO environment has domains named a.example.com and b.example.com. If the Web Agent protecting a.example.com encrypts the session cookie, set the value of the TrackSessionDomain parameter of the associated Web Agent. When the Web Agent protecting b.example.com receives the cookie, it compares the intended domain stored in the cookie against the domain of the requested resource.

Default: No

To have SiteMinder validate the domain of a session cookie, set the value of the TrackSessionDomain parameter to yes.

Prevent Session Cookie Creation or Updates

Some Web applications, such as Microsoft Outlook Web Access, make HTTP requests behind the scenes even when a user is not actively using the application. For example, the Web Access application makes HTTP requests even when the user is not actively checking for new email on the server.

These requests may update the SMSESSION cookie so that the session never expires, even though the user has been idle. You can prevent the Web Agent from creating or updating session cookies during these background requests so that sessions expire normally.

Configure the following parameters:

OverlookSessionForMethods

Specifies whether the Web Agent compares the request method of all HTTP requests against the methods listed in this parameter. If a match occurs, the Web Agent does not create or update an SMSESSION cookie. Also, cookie providers (if configured) are not updated for that request.

Default: No default

OverlookSessionForUrls

Specifies whether the Web Agent compares the URLs from all HTTP requests against the URLs listed in this parameter. If a match occurs, the Web Agent does not create or update an SMSESSION cookie. Also, cookie providers (if configured) are not updated for that request.

Default: No default

Example: Use a relative URL, such as /MyDocuments/index.html. Do not use an absolute URL (http://fqdn.host/MyDocuments/index.html)

Note: If you configure both of the previous parameters, the methods are processed before the URLs.

OverlookSessionAsPattern

If enabled, the Web Agent does not create cookies for any of the URLs under the directory that is specified in OverlookSessionForUrls.

Default: No

Values: Yes, No

Example: If you specify /siteminder in OverlookSessionForUrls and if you set OverlookSessionAsPattern to Yes, then cookies are not generated for any /siteminder/* requests.

Prevent Session Cookie Creation or Updates Based on Method and URI

Some Web applications, such as Microsoft Outlook Web Access, make HTTP requests behind the scenes even when a user is not actively using the application. For example, the Web Access application makes HTTP requests even when the user is not actively checking for new email on the server.

These requests update the SMSESSION cookie so that the session never expires, even though the user has been idle. You can prevent the Web Agent from creating or updating session cookies during these background requests so that sessions expire typically.

To prevent creation or updates based on method and URI

  1. Set all the following parameters:
    OverlookSessionForMethods

    Specifies whether the Web Agent compares the request method of all HTTP requests against the methods listed in this parameter. If a match occurs, the Web Agent does not create or update an SMSESSION cookie. Also, cookie providers (if configured) are not updated for that request.

    Default: No default

    OverlookSessionForMethodUri

    Specifies whether the Web Agent compares the method and the URI from all HTTP requests against the method and URI listed in this parameter. If a match occurs, the Web Agent does not create or update an SMSESSION cookie. Cookie providers (if configured) are not updated for that request.

    Default: No default.

    Limits: Specify a relative URI

    Example: POST, /directory/file prevents updates to the SMSESSION cookie for POST requests to /directory/resource.

    Note: Methods are processed before URIs.

Set Secure Cookies

You can specify that session cookies are only sent between a protected web server and the requesting browser over secure (HTTPS) connections using the following parameter:

UseSecureCookies

Sends cookies to web servers using secure (HTTPS) connections. Enable this parameter to increase security between browsers and web servers.

When this setting is enabled, users in single sign-on environments who move from an SSL web server to a non-SSL web server will have to reauthenticate. Secure cookies cannot be passed over traditional HTTP connections.

Default: No

To send cookies over SSL connections, set the UseSecureCookies parameter to yes.

More information:

Set Secure Cookies Across Multiple Domains

Set Secure Cookies Across Multiple Domains

Setting the UseSecureCookies parameter configures a Web Agent to only return a local cookie to a requesting browser session if the connection between them is secure (HTTPS); if the Web Agent is also configured as a cookie provider, UseSecureCookies does not apply to redirected requests for access to resources in other cookie domains.

To configure a Web Agent acting as a cookie provider to only return cookies to a Web Agent in another cookie domain if that Web Agent is also configured to use secure cookies, you must enable UseSecureCookies and also configure the following parameter:

UseSecureCPCookies

If UseSecureCPCookies is set to Yes, the cookie provider will only send a cookie to a Web Agent in another cookie domain that is also configured to use secure cookies (that is, UseSecureCookies is enabled).

When this setting and UseSecureCookies are both enabled, users in a multiple domain single sign-on environment who move from an SSL web server to a non-SSL web server in another cookie domain will have to reauthenticate. Secure cookies cannot be passed over traditional HTTP connections.

Default: No

To send cookies over SSL connections across multiple domains, set the UseSecureCookies and UseSecureCPCookies to yes on the cookie provider.

More information:

Set Secure Cookies

Control Identity Cookies

The TransientIDCookies parameter specifies whether or not the Agent identity cookie (SMIDENTITY) is transient or persistent.

Persistent cookies are written to a client system’s hard disk. Prior to Web Agent 5.x QMR1, persistent cookies remained valid for 7 days. Beginning with Web Agent 5.x QMR1, persistent cookies remain valid for the configured maximum session timeout plus 7 days. (The maximum session timeout is set in the Administrative UI.) Typically, a persistent cookie is deleted from a Web browser’s cookie file after the cookie expires; however, browsers may handle persistent cookies differently. By default, the Web Agent does not use persistent cookies. It uses transient cookies.

If you want to use single sign-on for multiple browser sessions, use persistent cookies. If you set persistent cookies, a user can end their browser session before a SiteMinder session expires then start a new browser session and still have single sign-on capability.

Whereas persistent cookies are written to a hard disk, transient cookies are not written to the hard disk and they are not subject to configured session time-outs. Transient cookies will remain in your cookie folder.

Set TransientIDCookies to no, if you want the identity cookie to be persistent. Leave the default value set to yes, if you want the identity cookie to be transient.

Be sure to set the corresponding IP Check.

More Information

Compare IP Addresses to Prevent Security Breaches

Modify the Session Grace Period

Web pages usually consist of many resources, all of which are potentially protected by the Web Agent. For each resource associated with a single request, a session cookie is generated. To eliminate the overhead of generating multiple session cookies for a single user request, set the following parameter:

SessionGracePeriod

Specifies the number of seconds during which a SiteMinder session (SMSESSION) cookie will not be regenerated. Cookies are not regenerated when all of the following conditions are met:

Default: 30

To modify the session grace period

  1. Change the value of the SessionGracePeriod parameter.
  2. If you increased the setting for the SessionGracePeriod parameter in Step 1, use the Administrative UI to ensure both of the following values in all of your realms do not exceed the value of the SessionGracePeriod parameter:

    The session grace period is changed.

    Note: Session timeouts are part of configuring a realm, which you do using the Administrative UI. For further instructions on configuring session timeouts, see the Policy Server documentation.