How to configure APIM agent to include Client IP in the SSO Token during Authentication

Document ID : KB000116464
Last Modified Date : 28/09/2018
Show Technical Document Details
Issue:
Multiple Web Agents leverage the client IP address to do TransientIPCheck or requiring the client IP but this is failing with API Gateway 9.3 CR3.  The logs seem to indicate there is no IP when the token is generated by the API Gateway. Note: This works fine when we have another CA SSO 12.52 Web Agent (NOT the GW) generate the tokens, when that is done then TransientIP check works fine.
Environment:
CA SSO 12.7 OR 12.8 (our DEV only has 12.8)
Web Agents 12.52 SP1
SSO Zones are used by environment.
CA APIM Gateway 9.3 CR3
 
 
Cause:
APIM uses SSO SDK to create SSO Token (SMSESSION) because the cookie is created by SDK it is a third-party cookie.  Third party cookies do not contain Client IP “Attribute 208”
 
This will only effect clients that authenticate from APIM Gateway then navigate to CA SSO environment. Also, the CA SSO environment implemented either TransientIPCheck=yes or PersistentIPCheck=yes
 
Resolution:
Steps to include Client_IP in the SMSESSION (sso token)
 
SSO Admin UI
  1. Create AgentConfigurationObject (ACO) example: mcqst02-ssg930-1_ACO
Add the APIM AgentName and TransientIPCheck=yes

ACO

APIM Policy manager:
            Task->Users and Authentication->Manager CA Single Sign-On Configuration
  1. Address: contains IP address (example support used loopback 127.0.0.1)
  2. Must check the box “Check IP”
User-added image 

Navigate/open to the CA SSO isProtect call in your policy add the Agent Configuration Object name in the ialog box:  (example mcqst02-ssg930-1_ACO)

User-added image