How can I trust that the SiteMinder HTTP headers haven't been tampered with?

GregT picture GregT · Apr 13, 2012 · Viewed 27.3k times · Source

I am completely new to SiteMinder and SSO in general. I poked around on SO and CA's web site all afternoon for a basic example and can't find one. I don't care about setting up or programming SM or anything like that. All of that is already done by someone else. I just want to adapt my JS web app to use SM for authentication.

I get that SM will add a HTTP header with a key such as SM_USER that will tell me who the user is. What I don't get is -- what prevents anyone from adding this header themselves and bypassing SM entirely? What do I have to put in my server-side code to verify that the SM_USER really came from SM? I suppose secure cookies are involved...

Answer

Ian picture Ian · Apr 19, 2012

The SM Web Agent installed on the Web Server is designed to intercept all traffic and checks to see if the resource request is...

  1. Protected by SiteMinder

  2. If the User has a valid SMSESSION (i.e. is Authenticated)

  3. If 1 and 2 are true, then the WA checks the Siteminder Policy Server to see if the user is Authorized to access the requested resource.

To ensure that you don't have HTTP Header injections of user info, the SiteMinder WebAgent will rewrite all the SiteMinder specific HTTP Header information. Essentially, this means you can "trust" the SM_ info the WebAgent is presenting about the user since it is created by the Web Agent on the server and not part of the incoming request.