Configuring gateway Single Sign-On for CA Single Sign-On
The Blue Cedar Connect Gateway SSO supports SSO credentials for implementations using CA Single Sign-On (formerly CA SiteMinder). This means the gateway requires a single set of SSO credentials, which can be passed to the client app immediately following a successful authentication.
For more information about using the Secure Web Stack policy to share SSO cookies see Secure Web Stack on the gateway and Secure Web Stack in the Integration Platform documentation.
To enable the gateway SSO, set the appropriate URLs for the login site and the SiteMinder session site:
% set aaa auth-group groupname sso siteminder enable true
% set aaa auth-group groupname sso siteminder login-url http://10.42.32.77:3000/login.fcc
% set aaa auth-group groupname sso siteminder restricted-url http://10.42.32.77:3000/restricted/index.html
Use the show command to view the configured settings:
% show aaa auth-group groupname sso
sso {
siteminder {
enable true;
credential-expiration-time 60;
user-form-name USER;
password-form-name PASSWORD;
target-form-name target;
sm-enc-form-value ISO-8859-1;
sm-locale-form-value US-EN;
formcred-cookie-name FORMCRED;
sm-session-cookie-name SMSESSION;
sm-multi-session-cookie ATLAS_MULTICOOKIE;
login-url http://10.42.32.77:3000/login.fcc;
restricted-url http://10.42.32.77:3000/restricted/index.html;
}
Option | Description |
---|---|
credential-expiration-time | Number of minutes before a SiteMinder credential expires. Default: 60 |
enable | True if SiteMinder credentials should be retrieved for Blue Cedar-secured apps. |
formcred-cookie-name | Name of the cookie to extract the form credential from in the response from the login-url |
identity-cert-name | Name of an existing identity certificate to use for mutual SSL authentication with the SSO server. |
login-url | URL used to submit authentication credentials to SiteMinder (usually login.fcc) |
password-form-name | Name of the form that contains the password in the submission to the SiteMinder server |
restricted-url | URL used to retrieve SiteMinder session cookie |
sm-enc-form-value | Value of the form that contains the encoding scheme in the submission to the SiteMinder server |
sm-locale-form-value | Value of the form that contains the locale in the submission to the SiteMinder server |
sm-multi-session-cookie | Name of a set (multicookie) of SiteMinder session cookies, each with an individual session time. Note: This parameter takes precedence over sm-session-cookie-name. |
sm-session-cookie-name | Name of the SiteMinder session cookie to extract the session token from in the response to the login-url or restricted-url. |
target-form-name | Name of the form that contains the target in the submission to the SiteMinder server |
user-form-name | Name of the form that contains the username in the submission to the SiteMinder server |
Multi-session cookie format
The gateway recognizes a multi-session cookie, a special cookie that encodes multiple cookies which may have domains that may otherwise be unrelated. The default cookie name (key) is "ATLAS_MULTICOOKIE". The cookie value is a Base64-encoded JSON-style array of RFC 6265 compliant cookie values, with following syntax:
ATLAS_MULTICOOKIE_VALUE := BASE64(["COOKIEVALUE1", "COOKIEVALUE2"])
These cookie values may include all RFC-standard attributes, which are passed from the gateway to the injectable client and used in the client cookie store. For example, an encoding of two cookies starts with the value of each Set-Cookie: header:
SMSESSION=OPAQUEVALUE; Domain=.firstdomain.com; Path=/; Expires=Wed, 13 Jan 2021 22:23:01 GMT; HttpOnly
SMSESSION=OPAQUEVALUE2; Domain=.secondomain.com; Expires=Wed, 13 Jan 2021 22:23:01 GMT; Secure
These values are represented as a JSON array:
[ "SMSESSION=OPAQUEVALUE; Domain=.firstdomain.com; Path=/;
Expires=Wed, 13 Jan 2021 22:23:01 GMT; HttpOnly", "SMSESSION=OPAQUEVALUE2;
Domain=.secondomain.com; Expires=Wed, 13 Jan 2021 22:23:01 GMT; Secure" ]
The final value is Base64 encoded to avoid any issues with special characters. This value is passed from the SSO aggregator to the gateway using the configured cookie name.
The gateway ignores any cookie attributes passed with the ATLAS_MULTICOOKIE container, but passes the attributes of the contained cookies to clients.