Skip to main content
Skip table of contents

Configuring gateway Single Sign-On for CA Single Sign-On

The Blue Cedar Connect Gateway SSO supports SSO credentials for implementations using CA Single Sign-On (formerly CA SiteMinder). This means the gateway requires a single set of SSO credentials, which can be passed to the client app immediately following a successful authentication. 

For more information about using the Secure Web Stack policy to share SSO cookies see Secure Web Stack on the gateway and Secure Web Stack in the Integration Platform documentation.

To enable the gateway SSO, set the appropriate URLs for the login site and the SiteMinder session site:

BASH
% set aaa auth-group groupname sso siteminder enable true
% set aaa auth-group groupname sso siteminder login-url http://10.42.32.77:3000/login.fcc
% set aaa auth-group groupname sso siteminder restricted-url http://10.42.32.77:3000/restricted/index.html

Use the show command to view the configured settings:

BASH
% show aaa auth-group groupname sso
sso {
siteminder {
  enable true;
  credential-expiration-time 60;
  user-form-name USER;
  password-form-name PASSWORD;
  target-form-name target;
  sm-enc-form-value ISO-8859-1;
  sm-locale-form-value US-EN;
  formcred-cookie-name FORMCRED;
  sm-session-cookie-name SMSESSION;
  sm-multi-session-cookie ATLAS_MULTICOOKIE;
  login-url http://10.42.32.77:3000/login.fcc;
  restricted-url http://10.42.32.77:3000/restricted/index.html;
}


OptionDescription
credential-expiration-time

Number of minutes before a SiteMinder credential expires.

Default: 60 

enableTrue if SiteMinder credentials should be retrieved for Blue Cedar-secured apps.
formcred-cookie-nameName of the cookie to extract the form credential from in the response from the login-url
identity-cert-nameName of an existing identity certificate to use for mutual SSL authentication with the SSO server.
login-urlURL used to submit authentication credentials to SiteMinder (usually login.fcc)
password-form-nameName of the form that contains the password in the submission to the SiteMinder server
restricted-urlURL used to retrieve SiteMinder session cookie
sm-enc-form-valueValue of the form that contains the encoding scheme in the submission to the SiteMinder server
sm-locale-form-valueValue of the form that contains the locale in the submission to the SiteMinder server
sm-multi-session-cookie

Name of a set (multicookie) of SiteMinder session cookies, each with an individual session time.

Note: This parameter takes precedence over sm-session-cookie-name.

sm-session-cookie-nameName of the SiteMinder session cookie to extract the session token from in the response to the login-url or restricted-url.
target-form-nameName of the form that contains the target in the submission to the SiteMinder server
user-form-nameName of the form that contains the username in the submission to the SiteMinder server

Multi-session cookie format

The gateway recognizes a multi-session cookie, a special cookie that encodes multiple cookies which may have domains that may otherwise be unrelated. The default cookie name (key) is "ATLAS_MULTICOOKIE". The cookie value is a Base64-encoded JSON-style array of RFC 6265 compliant cookie values, with following syntax:

ATLAS_MULTICOOKIE_VALUE := BASE64(["COOKIEVALUE1", "COOKIEVALUE2"])

These cookie values may include all RFC-standard attributes, which are passed from the gateway to the injectable client and used in the client cookie store. For example, an encoding of two cookies starts with the value of each Set-Cookie: header:

TEXT
SMSESSION=OPAQUEVALUE; Domain=.firstdomain.com; Path=/; Expires=Wed, 13 Jan 2021 22:23:01 GMT; HttpOnly
SMSESSION=OPAQUEVALUE2; Domain=.secondomain.com; Expires=Wed, 13 Jan 2021 22:23:01 GMT; Secure

These values are represented as a JSON array:

TEXT
[ "SMSESSION=OPAQUEVALUE; Domain=.firstdomain.com; Path=/; 
  Expires=Wed, 13 Jan 2021 22:23:01 GMT; HttpOnly", "SMSESSION=OPAQUEVALUE2; 
  Domain=.secondomain.com; Expires=Wed, 13 Jan 2021 22:23:01 GMT; Secure" ]

The final value is Base64 encoded to avoid any issues with special characters. This value is passed from the SSO aggregator to the gateway using the configured cookie name. 

The gateway ignores any cookie attributes passed with the ATLAS_MULTICOOKIE container, but passes the attributes of the contained cookies to clients.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.