siteminder Indtegration with 6.3 SP1.
Right now we are not validating the password sent from Siteminder. We dont have any validations in place. So we are able to acces the application by just passing the User Id. We would ned help on how we can implement the password validation.
Pegasystems Inc.
US
Hi Abbai,
Is there anything in the following discussion (or the documents it references) that would be of help?
SiteMinder Integration with PRPC 7.1.7
It was asked in the context of Pega 7, but perhaps the documentation is applicable to you?
Thanks.
B.
Pegasystems Inc.
US
There should be no way you can access the application by passing in a UserID unless something is really miss configured in Siteminder or you are bypassing Siteminder and going directly to PRPC for this test.
Siteminder has an agent running on a WebServer sitting between the browser and the PRPC application. It's monitoring the traffic and allowing or dening access to back end system(s). If you are not authenticated with Siteminder you should not be able to access any resources in the back end system. That is it's purpose.
With your Siteminder SSO configuration in PRPC you should be looking for a "sm_user" HTTP header. That will be the name of the user that is currently logged in through Siteminder. I have never seen a password ever passed on by Siteminder. You can look for the SMSESSSION cookie and I have seen some clients do validation on the cookie before with a connector to a Siteminder provided resource. That is as much extra security I have ever seen used with Siteminder before.
How are you testing sending in a UserID and getting access to the system?
Express Scripts
US
Hi Chris, We are doing couple of tests.
In one test we are accessing pega directly(Skipping webserver). In second test we are logging into Siteminder with a userId and passing another UserId in request parameters. In both scenarios we are able to access pega with out password.
Pegasystems Inc.
US
Hi Abbai,
In your activity you should be getting the user name from the header "sm_user" not a UserId parameter. That HTTP header is sent from siteminder agent to PRPC and can't be modified client side.
Express Scripts
US
Chris, We can use the SM_User, But i can carete a small html with SM_User parameter and access pega(Application node) directly as we do for delevoper portal. Also to send the userid in post we have to add unautheticated hash in the URL.
Pegasystems Inc.
US
Abbai,
That is your activity causing the problem though, your looking for a HTTP parameter and not a HTTP header. If you have your activity accessing an HTTP parameter for the user id then yes I would expect you to run into these issues.
I want you to try the following within your login activity:
1) Add a local variable on the parameters page of "userId" of type string. (You may already have one)
2) Add a java step that has the following:
----
javax.servlet.http.HttpServletRequest request =
(javax.servlet.http.HttpServletRequest)tools.getRequestor().getRequestorPage().getObject("pxHTTPServletRequest");
/* Debug - uncomment to see all headers in log
java.util.Enumeration e = request.getHeaderNames();
String header = null;
while (e.hasMoreElements()) {
header = (String) e.nextElement();
oLog.infoForced(header + ": " + request.getHeader(header));
}
*/
userId = request.getHeader("sm_user");
oLog.infoForced("Login request for sm_user: " + userId);
if (userId == null){
oLog.error("sm_user was blank");
errorMessage("[Error text here] ");
}
----
Now the local variable userId is the ONLY identifier you use for the operator in PRPC. If it's blank, you deny access. So now you are using a value for the user ID that is only coming form the Siteminder agent and cann't be modified client side.
Express Scripts
US
Thanks Chris. But i can use a something like Fiddler,Charles proxy or even IE network trace and capture the SM_User from header. And then use tool simillar to "Postman" and pass the same header(SM_use) and get into system.
Let me know if my understanding is not correct.