refers to siteminder itself. Maybe it is expecting any Cookie that is not sent and therefore indicates that you should set this Option to No so it works without any required Cookies?
since this is a request Header the only way to do this is to send the request through a Proxy that adds the Header:
If it was your own component (e.g. within a servlet) which initiated the request you could simply add some code there but if the request send initiated by the SAMLLoginModule of the engine has to contain this header the only way to achieve that is to either write a login module that extends the existing SAMLLoginModule or to put a proxy between your J2EE and Siteminder (only for that purpose and not all other communication)
You should use a reverse Proxy or configure the engine to use a Proxy for outgoing communication
if you use a reverse Proxy just enter the Proxy URL in the HTTP Destination and your proxy will then have to forward this request to your IDP.
The easiest way to achieve this is to use Apache as a Proxy (create a virtual Host configuration and add the appropriate Header)
Here is a sample configuration for Apache to achieve this (it serves as a reverse proxy and adds the Header you mentioned!) => Put the code or modify the code in conf/extra/httpd-vhosts.conf (if using Apache 2.2)
<VirtualHost *:8085>
ErrorLog logs/error_log_reverse_proxy_8085
CustomLog logs/access_log_reverse_proxy_8085 common
ServerAdmin <youremailaddress>
ServerName <yourproxyhostname>
UseCanonicalName Off
HostnameLookups Off
*# Here we add the Request Header*
RequestHeader set SMCHALLENGE YES
ProxyRequests Off
ProxyPreserveHost Off
ProxyVia On
<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>
ProxyPass / http://<youridp>:<youridpport>/
# Make sure the location header is replaced correctly when
# receiving a redirect from the backend
ProxyPassReverse / http://<youridp>:<youridpport>/
</VirtualHost>
You can also use Squid or any other Proxy to achieve this. You can also write your own Proxy Component that just adds the header but I'd refer using Apache or some other proxy.
as I described before you can send your request through a proxy (use the proxy URL in your HTTP Destination) and add the Cookie there.
If you want the Cookie to be added by the module itself I think the only way to do this will be to create a new login module that extends the existing SAML Login Module). You can add some functionality in your login module such as adding the Cookie you need.
You will then use your module instead
Here's a link to help.sap.com on how to create a login module:
We want to setup SSO with SAML & Siteminder. We have problems to access Siteminder from J2ee (visual admin --> destination). The response from siteminder was "set RequireCookie= No". But can you do this with SAP?
I don't know how siteminder works but I guess your are using siteminder as SAML identity provider and configured the SAML Login Module in SAP to achieve SSO correct?
For this purpose you need to define a HTTP Destination which is than used as SAML Receiver.
What I do not get is the Cookie Problem.
I don't know exactly how your process flow is but it should be something like
- Your Client authenticates to your identity provider (let's say siteminder)
- Any time later you try to access any resource that is configured to support SAML using SAML Assertions (e.g. SAP J2EE)
- Your identitiy provider will generate an SAML Artifact an redirect you to the destination application (in your case some J2EE Application on SAP that is configured to validate your SAML Artifact (using the SAML Login Module)
=> This initial client request to your identity provider can contain cookies and you cannot avoid this since they are carried and sent by the client (Browser) => I hope this does not cause any problems because it really shouldn't
Now the Engine creates an HTTP Post Request to your IDP that contains the SAML Assertion (SAML Assertion Request). This Assertion request also contains the Artifact and it does not contain any cookies!!! Your IDP now validates the Requests and sends an SAML Assertion Response to your engine (The SAML Login Module extracts the User from the Response (This one is carried in the NameIdentifier of the SOAP Message) and authenticates the user if it exists on the J2EE Engine
You finally receive the response of your Destination Application.
I don't really understand the cookie issue:
Maybe it really helps if you allow unsecure connections for SAML in SAP J2EE (You can enable this under Visual Admin > Configuration Adapter > saml > Settings > AllowUnsecureConnections > true)
so you can use http instead of https. Now use Wireshark or tcpdump or something similar to create a dump of your traffic and analyze it to check where the problem is or maybe send it to me so I can have a look at it.
Hope this helps
Let me know if you need further assistance on this (Reward points for helpful answers are always appreciated )
Do siteminder and your Engine reside on the same domain (I mean do both full qualified hostnames end with the same domain suffix? e.g. j2eehost.yourcompany.com and siteminderhost.yourcompany.com) or do they reside on different domains?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.