What is the exact meaning of this error thrown by the Siteminder ERP Agent v5.6 for Siebel? Where in the user journey (webagent to policy server or object manager to policy server communications) does this check occur? If the 'acceptance window' is not specified, what is its default value?
The error message "Ticket outside acceptance window - replay attack?" is generated at the time of Siebel Object Manager (Siteminder Security Adapter/ERP Agent) to Policy Server communication.
With reference to the "Data Flow" section of "Chapter 1 - Overview and Architecture" within the Siteminder ERP Agent v5.6 SP4 for Siebel Guide, the following is the sequence of events that occurs for SSO:
- Step 1-5 happen as mentioned in the agent guide.
- At Step 6c when the /SiebelConnector/* resource protected by Policy Server using Siebel SSO Auth Scheme is accessed, the SIEBELTICKET and SIEBELUSER responses are generated and passed back to the Web Agent. These responses are then converted into HTTP Headers.
- At Step 6d, the user is redirected to the a URL that SWSE uses to send the username (which is the SIEBELUSER response) and password (which is the SIEBELTICKET response) to the object manager.
- At Step 7, object manager invokes the Siteminder Security Adapter (ERP Agent) and passes the username and password to it.
- At Step 8, the object manager authenticates the user at the Policy Server by using the Siebel SSO Auth Scheme and the parameters SIEBELUSER and SIEBELTICKET it gets from SWSE. At the Policy server side the SIEBELTICKET is validated by comparing the time difference between the SIEBEL Ticket's generation (refer to 2 above) and its presentation for
user authentication. If this time difference is less than the Ticket Acceptance Period (refer to "Chapter 2 - Installing On the Policy Server") then processing continues. Otherwise, the "Ticket outside acceptance window" error message is generated.
This acceptance window is a feature of the ERP Agent that prevents the replay attacks by ensuring that the SIEBELTICKET being presented is the latest one that Policy server had generated (refer to 2 above). In case a user tries to replay a previously generated SIEBELTICKET which is not falling within the acceptance window, then SSO fails. It is configured within the Siebel Authentication scheme, by setting the 'PERIOD' parameter in seconds (default of 60 seconds). There are certain Siebel applications that may require the Siebel session ticket to remain valid for the duration of the session, and in these cases it may be advisable to set the 'PERIOD' to a value higher than the Siebel protected realms' Max Timeout period.
However, to ensure that this feature functions in the intended manner it is necessary to make note of the following points:
- The default value of the ticket acceptance window PERIOD is 60 seconds (refer to Chapter 2 - Installing on Policy Server - Install the Authentication Scheme section of the ERP Agent guide).
- When creating the active response corresponding to the SSO Ticket (refer to the Chapter 2 - Installing on Policy Server - Create Siteminder Policies section of the ERP Agent guide) the "Attribute Caching" must not be set to "Cache Value" but is instead set to "Recalculate Value Every <xx> seconds" and the value of <xx> should be less than the PERIOD setting in the Siebel authentication scheme (which if not specified defaults to 60 seconds).
- If the step 2) mentioned above is not followed, then user can receive the error "Ticket outside acceptance window - replay attack?" even under normal conditions due to the fact that Policy server can send out a SIEBELTICKET from the cache, instead of generating it again. The cached SIEBELTICKET can have a timestamp that is old enough to push it beyond the acceptance window when it is presented for validation.