How can I trust that the SiteMinder HTTP headers haven't been tampered with?

Question

I am completely new to SiteMinder and SSO in general. I poked around on SO and CA\'s web site all afternoon for a basic example and can\'t find one. I don\'t care about setting

Answer 1

All Siteminder architectures do indeed make the assumption that the application just has to trust the "SM_" headers.

In practice, this may not be sufficient depending on the architecture of your application. Basically, you have 3 cases:

• The Web Agent is installed on the web server where your application runs (typical case for Apache/PHP applications): as stated above, you can trust the headers as no requests can reach your application without being filtered by the web agent.
• The Web Agent is installed on a different web server than the one where your application runs, but on the same machine (typical case: SM Agent installed on an Apache front-end serving a JEE Application Server): you must ensure that no requests can directly reach your application server. Either you bind your application server to the loopback interface or you filter the ports on the server.
• The Web Agent runs on a reverse proxy in front of your application. Same remark. The only solution here is to implement an IP filter on your application to only allow requests that come from your reverse proxy.