How can I trust that the SiteMinder HTTP headers haven't been tampered with?

Question

I am completely new to SiteMinder and SSO in general. I poked around on SO and CA\'s web site all afternoon for a basic example and can\'t find one. I don\'t care about setting

Answer 1

The SM Web Agent installed on the Web Server is designed to intercept all traffic and checks to see if the resource request is...

1. Protected by SiteMinder

2. If the User has a valid SMSESSION (i.e. is Authenticated)

3. If 1 and 2 are true, then the WA checks the Siteminder Policy Server to see if the user is Authorized to access the requested resource.

To ensure that you don't have HTTP Header injections of user info, the SiteMinder WebAgent will rewrite all the SiteMinder specific HTTP Header information. Essentially, this means you can "trust" the SM_ info the WebAgent is presenting about the user since it is created by the Web Agent on the server and not part of the incoming request.