Questions about SiteMinder session tokens

Document ID : KB000054112
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

  1. What are the SMSESSION, and the SMIDENTITY?

  2. Which component provides the SM session and SM identity for the browser, SiteMinder agent, Policy server or something else?

  3. What information does the SMSESSION and SMIDENTITY contain?

  4. Is SMSESSION a Cookie, or a SESSION and why is the value of SMESSION just is a SESSION ID?

Solution:

  1. SMSESSION and SMIDENTITY are cookies created in the default security zone ("SM"). These cookies contain similar information. The SiteMinder session cookie (SMSESSION) contains a set of information including the user's SiteMinder session ID, their SiteMinder session ticket, and timeouts. The SiteMinder identity (SMIDENTITY) cookie is similar, but is only used for anonymous access to resources. The identity cookie contains a unique identifier for users who have not yet logged in, and is replaced with an identity cookie containing information specific to the user once they have logged into a protected resource. The identity cookie is affected by the user tracking feature of the Policy Server. Consult the documentation for more information on this feature.

  2. SiteMinder webagent or customer agent sends the request to the webserver, the web server will send the set-cookie to the client browser

  3. Further details beyond this info suggest reviewing the API guides.
    SMSESSION- Sm_AgentApi_DecodeSSOToken()
    Decodes a single sign-on token and returns a subset of its attributes.
    Attribute list:
      SM_AGENTAPI_ATTR_USERDN  SM_AGENTAPI_ATTR_SESSIONSPEC  SM_AGENTAPI_ATTR_SESSIONID  SM_AGENTAPI_ATTR_USERNAME  SM_AGENTAPI_ATTR_CLIENTIP  SM_AGENTAPI_ATTR_DEVICENAME  SM_AGENTAPI_ATTR_IDLESESSIONTIMEOUT  SM_AGENTAPI_ATTR_MAXSESSIONTIMEOUT  SM_AGENTAPI_ATTR_STARTSESSIONTIME  SM_AGENTAPI_ATTR_LASTSESSIONTIME
    SMIDENTIRY-The user's identity ticket. SiteMinder returns this if the user tracking feature has been enabled

  4. The session cookie contains a session ID, as well as additional information. The actual value of the cookie is opaque and cannot be used to determine state directly. Agents will decode the cookie upon receipt and will set headers with pertinent information (such as the user's session ID, the session ticket, and the user's identity). See the Web Agent documentation for more information.