IdentityIQ Integration with Siteminder Quick Note

Sailpoints IdentityIQ Identity Governance supports siteminder as an SSO (Single Sign On) solution. This allows Siteminder to be used as the Web Access Management (WAM) solution in front of IdentityIQ.

In the current IdentityIQ 6.x Release, there is an issue whereby the Cross Site Request Forgery (CSRF) function implemented using Angularjs framework in IdentityIQ is broken when siteminder is used as the SSO product.

Initial login via Siteminder works, but screen navigations inside IdentityIQ, especially REST endpoints fail. Specifically, the X-XSRF-TOKEN header is not set when the Siteminder SMSESSION cookie is updated. The default update frequency of SMSESSION cookie is set using the SessionGracePeriod Siteminder Web agent Setting, which is defaulted to 30 seconds.

The issue appears to occur inside Sailpoints IdentityIQ”s AngularJs scripts that set the X-XSRF-TOKEN header. The solution is to make the SMSESSION opaque to client javascript. This is done by setting the Siteminder Web Agent setting UseHTTPOnlyCookies to Yes.