We want to use the SDK to create cookies under different SSO Zones. How can we configure the AgentAPI to feed it SSOZoneName="Z1" so that it can be used to create a valid Z1SESSION cookie?

Document ID : KB000051424
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

The createSSOToken function just returns an encrypted b64 blob, it does not specify a cookie name, or even that you store it in a cookie for that matter.

In the custom code module where you call the createSSOToken you must have something that sets the cookie name, and also retrieves it when decoding it. It is probably a const variable in your code, so hopefully you should be able to change that however you like, including creating a parameter that allows the cookie used be variable so the zone name it pick up can be changed at runtime.

Solution

Overview

We want to use the SDK to create cookies under different SSO Zones. How can we configure the AgentAPI to feed it SSOZoneName="Z1" so that it can be used to create a valid Z1SESSION cookie?

The Agent API sample JavaTestClient.java just interacts with the Policy Server API, it does not show the interaction needed to process the HTTP request, extract and set cookie values. As such the API createSSOToken function just returns an encrypted b64 blob, it does not specify any HTTP specific attributes such as a cookie name.

However, if your intent is to embed the AgentAPI calls into an Application Server, and have it set and get Siteminder session cookies from the client (and that is the most common ussage of the API) then you need to code the interface between the App server and the Siteminder API.
In the custom code module where you call the createSSOToken you must have something that sets the cookie name, and also retrieves it when decoding it, you can use whatever cookie name you wish to use. By using the name "SMSESSION" as the cookie you will interact with the normal Siteminder sites, but you can just as easily use "Z1SESSION" and you will interact with the Siteminder zone "Z1".

Note1: If you want your new session cookies accepted by normal web agents those web agents will have to have the following Agent Configuration Object entry set:

AcceptTPCookies = YES

Note2: In general with Siteminder Zones, you also want to be careful about creating too many zones, each cookie is fairly large, about 4k, and the HTTP headers are, by design, limited to about 8K, exceeding this can have unintended consequences such as the webserver receiving only some of the client cookies.

Sample Code Segments

You wrote:
> So are you saying that it should work? All we have to do is make sure we name the cookie properly?

Yep, that's all there is too it.

You wrote:
> Can you provide a code sample that demonstrates this?

The Siteminder SM SDK package does not provide an sample interacting with the App server, and there is not plan to include one.
But the calls will be standard calls to the javax.servlet. packages along the lines of the following pseudo code. It assumes that you already have the other code in place from the sample JavaTestClient.java

To set a zone session token:

The following pseudo code template shows how to take the ssoToken and store it in a user cookie for the user.

public void doGet(HttpServletRequest request, HttpServletResponse response)      throws ServletException, IOException {   ....   retcode = agentapi.createSSOToken(sessionDef, ssoAttrs, ssoToken);    if (retcode != AgentAPI.SUCCESS)  {       throw RuntimeExcpetion("Failure creating SSO Token");   }    String zoneName = "Z1";      Cookie smcookie = new Cookie(zoneName + "SESSION", ssoToken.toString());   smcookie.setDomain(".transpolar.com");   response.addCookie(smcookie);   .... }  

Note: The smcookie.setDomain(..) is needed of your website is http://www.transpolar.com although in some special circumstances, such as when your website is http://transpolar.com you will need to leave the setDomain this out - check your cookie programming guide for why.

To retrieve a zone session token:

The following pseudo code template shows how to retrieve a zone cookie and pass it into the siteminder decode function.

public void doGet(HttpServletRequest request, HttpServletResponse response)      throws ServletException, IOException {     String zoneName = "Z1";    String sessionCookieName = zoneName + "SESSION";     String sessionId = null;    Cookie[] cookies = request.getCookies();     if (cookies != null)       for (Cookie ck : cookies) {           if (sessionCookieName.equals(ck.getName())) {               String sessionId = ck.getValue();               break;           }       }    }   ...      retcode = agentapi.decodeSSOToken(sessionId, tokendesc,         ssoRespAttrs, updateToken, updatedSSOToken);   

Note: the reason for the loop in general cookie handling is that we can receive multiple cookies that have the same name. However for SiteMinder it will expect only one.

Debugging Tip

A good debugging aid when trying to diagnose these sort of interaction problems is to have a trace program that records the data and cookies as processed by the client side. If you are using Firefox, the Tamperdata module is excellent, and if you are using Internet Explorer the Http Watch program is also useful. There are also various other utilities available that do the same monitoring.

They will show the users side showing the problem would be good to help understand what is going on as well.