Previous Topic: Configure the Proxy Service SettingsNext Topic: Configure the Session Store Settings

Administration GuideAdministrating CA SiteMinder® SPSConfiguration Methods of CA SiteMinder® SPSConfigure the Session Scheme Settings

Configure the Session Scheme Settings

A session scheme determines how a user identity is maintained and provides single sign-on during a session.

CA SiteMinder® SPS provides the following out-of-the-box session schemes that you can configure:

You can create custom session schemes too. You can define multiple session schemes. You can associate session schemes with user agent types for each configured virtual host, and create a session scheme mapping. Each session scheme must be associated with a Java class file that defines the session behavior. If you do not define a session scheme for a user agent, the default session scheme is used.

Uses for Each Session Scheme

The following table illustrates the scenarios in which each session scheme is used. The session schemes are based on the sensitivity of resources on a virtual host.

Session Scheme

Security Level

Recommendation

SSL Session ID

High

This scheme provides a clean and highly secure means of holding user sessions. Although the most secure of the available schemes, it is limited in scalability. All content must be served over SSL and the user must continue to access the same CA SiteMinder® SPS server for the session to persist. Also, some browsers (some versions of IE), by default, terminate the SSL session after 2 minutes. This scheme is ideal for intranet and extranet applications with high security needs.

SiteMinder Cookies

Medium or High

This scheme is the traditional SiteMinder session mechanism, which has proven highly secure in many enterprise deployments.

For maximum security, the WebAgent SecureCookie setting are set to "Yes".

IP Address

Low

This scheme is only for applications where users are retrieving information (with HTTP GET) from protected resources and not sending (with HTTP POST) information to a secure application. An example of an appropriate application would be an online library. An example of an in-appropriate application would be a bond trading application.

Mini-Cookies

Medium or High

This scheme is ideal for applications where user clients accept cookies but are accessing the application over connections of limited speed and bandwidth.

For maximum security, the WebAgent SecureCookie setting is set to "Yes".

Simple URL Rewriting

Medium

This scheme is ideal for environments that do not support or want to use cookies.

Device ID

Medium

This scheme is designed for wireless environments where a device ID is sent with every client request to identify a user.

Configure the Default Session Scheme

The default session scheme is the scheme that CA SiteMinder® SPS uses to establish and maintain user sessions when no other scheme is specified for a user agent type. You must configure a default session scheme. You can configure the default session scheme to use any available session scheme.

You can configure the default session scheme manually or using Administrative UI.

To configure manually, perform the following steps:

  1. Open the server.conf file.
  2. Navigate to the <SessionScheme name="default"> section.
  3. Configure the following parameters:
    Class

    Indicates the Java class that contains the default session scheme.

    Default: com.netegrity.proxy.session.SSLIdSessionScheme

    accepts_smsession_cookies

    Indicates that if a user agent type is associated with the SiteMinder cookies session scheme, users that access resources through the user agent type maintain session using traditional CA SiteMinder® cookies. CA SiteMinder® uses cookies to track sessions so a cookies scheme is supported by CA SiteMinder® SPS. Select the option to let the session scheme accept the SMSESSION cookies.

  4. Save the changes.

To configure using Administrative UI, perform the following steps:

  1. Navigate to Virtual Hosts, Sessions Schemes.
  2. Click Actions, Edit against the default session scheme in the Available Session Schemes list.
  3. Configure the following parameters:
    Class

    Indicates the Java class that contains the default session scheme.

    Default: com.netegrity.proxy.session.SSLIdSessionScheme

    Accepts SMsession Cookies

    Indicates that if a user agent type is associated with the SiteMinder cookies session scheme, users that access resources through the user agent type maintain session using traditional CA SiteMinder® cookies. CA SiteMinder® uses cookies to track sessions so a cookies scheme is supported by CA SiteMinder® SPS. Select the option to let the session scheme accept the SMSESSION cookies.

  4. Click OK and Save.
Configure the SSL ID Session Scheme

A secure sockets layer (SSL) connection includes a unique ID that is created when an SSL connection is initiated. CA SiteMinder® SPS can use the unique ID as a token to refer to the session information of a user that is maintained in the in-memory session store. This scheme eliminates cookies as a mechanism for maintaining a user session. SSL ID session schemes can be supported using the Java classes that are packaged with CA SiteMinder® SPS.

Important! The limitation of the scheme is that the initial contact with CA SiteMinder® SPS establishes an SSL session ID. If a user SSL session is interrupted, a new SSL connection is established. The user must be re-authenticated and re-authorized because the new SSL connection connects to a new server though it is a virtual server on the same system. Also, forms that are used by HTML Forms Authentication Schemes must be served from the same host name as the protected resource.

You can configure the settings manually or using Administrative UI.

To configure the settings manually, perform the following steps:

  1. Open the server.conf file.
  2. Navigate to the <SessionScheme name="ssl_id"> section.
  3. Configure the following settings:
    class

    Specifies the Java class that handles SSL ID session schemes.

    Default: com.netegrity.proxy.session.SSLIdSessionScheme

    accepts_smsession_cookies

    Specifies if SMSESSION cookies are accepted.

  4. Save the changes.

To configure using Administrative UI, perform the following steps:

  1. Navigate to Virtual Hosts, Sessions Schemes.
  2. Click Actions, Edit against the ssl_idt session scheme in the Available Session Schemes list.
  3. Configure the following parameters:
    Class

    Specifies the Java class that handles SSL ID session schemes.

    Default: com.netegrity.proxy.session.SSLIdSessionScheme

    Accepts SMsession Cookies

    Specifies if SMSESSION cookies are accepted.

  4. Click OK and Save.

You must enable SSL in the httpd.conf file of the Apache Web Server to configure the SSL ID session scheme. To modify httpd.conf, perform the following steps:

  1. Open the httpd.conf file located in the directory installation_home/secure-proxy/httpd/conf.
  2. Locate the following line: 
    #SSLOptions +StdEnvVars +ExportCertData +CompatEnvVars
  3. Delete the # symbol at the beginning of the line.
  4. Delete +CompateEnvVars from the line so that the line reads as follows: 
    SSLOptions +StdEnvVars +ExportCertData
  5. Save the changes.
  6. Restart CA SiteMinder® SPS.
Configure the IP Address Session Scheme

In environments where IP addresses are fixed, you can use an IP address to refer to a user session information in the session store. This scheme eliminates cookies but may only be used in environments where a user is assigned a fixed IP address.

Configure the Mini-cookies Session Scheme

The mini-cookies session scheme stores session information in the CA SiteMinder® SPS in-memory session store and creates a cookie that contains an encrypted token that the CA SiteMinder® SPS returns to the user. The mini-cookie is a fraction of the size of a standard SiteMinder cookie and thus decreases the cost of access for devices such as wireless phoness. It provides an alternative for standard SiteMinder cookies.

You can configure the settings manually or using Administrative UI.

To configure the settings manually, perform the following steps:

  1. Open the server.conf file.
  2. Navigate to the <SessionScheme name="minicookie"> section.
  3. Configure the following settings:
    class

    Specifies the Java class that handles the session scheme. If you want to use the default mini-cookies session scheme, do not modify the value.

    Default: com.netegrity.proxy.session.MiniCookieSessionScheme

    accepts_smsession_cookies

    Specifies if SMSESSION cookies are accepted.

    cookie_name

    Defines the name of the mini-cookie that contains the token for the user session.

    Note: This name is not configured using the same value for all the CA SiteMinder® SPS instances that provide single sign-on.

  4. Save the changes.

To configure using Administrative UI, perform the following steps:

  1. Navigate to Virtual Hosts, Sessions Schemes.
  2. Click Actions, Edit against the minicookie session scheme in the Available Session Schemes list.
  3. Configure the following parameters:
    Class

    Specifies the Java class that handles the session scheme. If you want to use the default mini-cookies session scheme, do not modify the value.

    Default: com.netegrity.proxy.session.MiniCookieSessionScheme

    Accepts SMsession Cookies

    Specifies if SMSESSION cookies are accepted.

    cookie_name

    Defines the name of the mini-cookie that contains the token for the user session.

    Note: This name is not configured using the same value for all the CA SiteMinder® SPS instances that provide single sign-on.

  4. Click OK and Save.
Configure the Simple URL Rewriting Session Scheme

Simple URL rewriting appends a token to the requested URL and tracks a user session. The token is used to retrieve session information from the in-memory session store.

The simple_url schemes support simple URL rewriting that can be accomplished without any custom work.

Note: The CGI-based and FCC-based password schemes are supported with the simple_url session scheme.

Example

A user accesses a host and the user session is established through the simple URL rewriting session scheme. An initial request can look like the following example:

http://banking.company.com/index.html

If the user provides appropriate credentials and is authenticated and authorized, the URL requested by the user is rewritten and returned to the user in a form similar to the following:

http://banking.company.com/SMID=nnnnnnnnnn/index.html

nnnnnnnnnn

Represents a hashed, randomly generated token that CA SiteMinder® SPS uses to identify the user session.

Important! For the simple URL rewriting session scheme to work, any links defined in the enterprise must be relative links. If the links are absolute, the simple URL rewriting scheme fails. Also, the token that CA SiteMinder® SPS appends to a URL is stripped from the URL when the request is forwarded. The token is appended only at the CA SiteMinder® SPS interaction level so that it does not interfere with back-end server processing.

You can configure manually or using Administrative UI.

To configure manually, perform the following steps:

  1. Open the server.conf file.
  2. Navigate to the <SessionScheme name="simple_url"> section.
  3. Configure the following settings:
    class

    Specifies the Java class that defines the session scheme. This directive is not modified when you want to use the cookieless rewriting session scheme.

    Default: com.netegrity.proxy.session.SimpleURLSessionScheme

    accepts_smsession_cookies

    Indicates whether SMSESSION cookies are accepted.

    session_key_name

    Specifies the SiteMinder ID (SMID) session identifier.

To configure using Administrative UI, perform the following steps:

  1. Navigate to Virtual Hosts, Sessions Schemes.
  2. Click Actions, Edit against the simple_url session scheme in the Available Session Schemes list.
  3. Configure the following parameters:
    Class

    Specifies the Java class that handles the session scheme. If you want to use the cookieless rewriting session scheme session scheme, do not modify the value.

    Default: com.netegrity.proxy.session.SimpleURLSessionScheme

    Accepts SMsession Cookies

    Specifies if SMSESSION cookies are accepted.

    session_key_name

    Specifies the SiteMinder ID (SMID) session identifier.

  4. Click OK and Save.
Enable Cookieless Federation for Rewriteable Session Schemes

Configure cookieless federation to let CA SiteMinder® SPS use rewritable session schemes such as simple URL session scheme in a federated environment.

Note: When a cookieless federation transaction is being processed by the CA SiteMinder® SPS federation gateway and the simple_url session scheme is used, the SMID is added to the request as a query parameter instead of appending to the URI.

Follow these steps:

  1. Open the server.conf file.
  2. Add the following code to the virtual host section for the virtual host that is serving FWS. 
    cookielessfederation="yes"
  3. Save the change.
  4. Restart CA SiteMinder® SPS.

Note: No separate post filter, such as the CookielessFedFilter needs to be enabled for the CA SiteMinder® SPS federation gateway. This functionality is provided out-of-the-box when you enable the federation gateway functionality. You have to enable this post filter when the CA SiteMinder® SPS is not acting as a federation gateway.

Rewrite FWS Redirects for Simple URL Session Schemes

If you deploy CA SiteMinder® SPS in a federated environment, one of the session schemes you can use at the site that is producing assertions is a simple URL session scheme. If you use this scheme, you may be required to rewrite the links that direct the user to the appropriate site so that the session key is added to the link. In SiteMinder documentation, these links for SAML 1.x are called intersite transfer URLs. For SAML 2.0, these links are referred to as an unsolicited response or an AuthnRequest link.

For rewriting the links so that the session key information is added to the base of the URLs, a sample post filter, RewriteLinksPostFilter, is provided along with the CA SiteMinder® SPS filter examples. This filter can be compiled and be attached to the appropriate proxy rule, which handles the forwards to the intersite transfer URL, unsolicited response, or AuthnRequest.

The RewriteLinksPostFilter provided with the CA SiteMinder® SPS is a sample filter. You must configure the filter to suit your requirements.

Note: If you use the simple_url session scheme for transactions involving the CA SiteMinder® SPS federation gateway, the session key (SMID) gets added to the request as a query parameter instead of being appended to the URI. However, the SMID gets added to the URI when the final target resource is accessed at the back-end server.

Configure the Wireless Device ID Session Scheme

Some wireless devices have a unique device identification number. This number is sent as a header variable with any requests for resources. CA SiteMinder® SPS can use this device ID as a token to refer to session information in the session store.

You can configure the settings manually or using Administrative UI.

To configure manually, perform the following steps:

  1. Open the server.conf file.
  2. Navigate to the <SessionScheme name="device_id"> section.
  3. Configure the following parameters:
    class

    Specifies the Java class that handles the session scheme.

    Default: com.netegrity.proxy.session.DeviceIdSessionScheme

    accepts_smsession_cookies

    Specifies if SMSESSION cookies are accepted.

    device_id_header_name

    Defines the vendor specific device ID.

  4. Save the changes.

To configure using Administrative UI, perform the following steps:

  1. Navigate to Virtual Hosts, Sessions Schemes.
  2. Click Actions, Edit against the device_id session scheme in the Available Session Schemes list.
  3. Configure the following parameters:
    Class

    Specifies the Java class that handles the session scheme.

    Default: com.netegrity.proxy.session.DeviceIdSessionScheme

    Accepts SMsession Cookies

    Specifies if SMSESSION cookies are accepted.

    device_id_header_name

    Defines the vendor specific device ID.

  4. Click OK and Save.