We have built a simple Perl CGI to allow us to check for SiteMinder SM Session cookies, variables passed in the URI and to redirect the browser to our Federation server while maintaining the Federation Session ticket.
The requestor will be sent to an error page if any of these conditions exist:
If no SiteMinder SM Session is provided there is an error
If no Resume Path is set, meaning there is no Ping Federation ticket
If browser posts the request and was already sent to the script within 15 seconds, indicating a loop
I have used several code examples on Perl Monks, forgive me for not detailing each one in the script below....
I will gladly accept any tips to make the code more terse/concise, thanks in advance!
The script is hosted on Apache and is executed called like the following:
https://localhost/wrp/resumepath.pl?resumePath=%2Fidp%2FXRTG8%2Fresume%2Fidp%2Fprp.ping&env=prod
#!/usr/bin/perl
#
# PROGRAM: resumepath.pl
#
# PURPOSE: This script checks the request for cookies and environ
+ment variables and redirects customer
# back to the federation environment with good session
# CREATED: June 30, 2015 by Mitchell Lewars
# Thanks for help to Björn Vildljung
# Lots of examples used from Perl Monks web site
use CGI qw(:standard);
#use warnings;
$query = new CGI;
$perror = 0; #//Set to 1 in case of an error.
$wearelooping = 0; #//Set to one if a user returns withing 15 secon
+ds, indicating a redirect-loop.
$redirectURL = "https://federate-qa.localhost.com";
#---- Next get the current values
$gotcookies = $ENV{"HTTP_COOKIE"};
$env = $query->param('env');
$resumepath = $query->param('resumePath');
#// Check for the env= entry in the URL. If it is set to prod, use pro
+d federation, else use QA.
if ( $env =~ 'prod') { $redirectURL = "https://federate.localhost.co
+m"}
#// Check that the PF-session information is passed as expected, if no
+t, we got an error. Otherwise, add it to redirectURL
if ( $resumepath ) { $redirectURL .= $resumepath }
else { $perror=1 }
# Verify that there is an SMSESSION, otherwise we got somebody accessi
+ng us the wrong way, and therefor probably for the wrong reasons. ERR
+OR!
#$perror = 1; # if customer has no SMSESSION they reached this page in
+ error
if (!( $gotcookies =~ /smsession/i)) { $perror = 1}
# Check if there is already an SMPF, if so we are looping
if ( $gotcookies =~ /smpf/i) { $wearelooping = 1}
#// Check to see if a Cookie named SMPF is avalible. If not, we set it
+ and give it a 15 second lifetime. If it is there, we got a redirect
+loop.
if (($wearelooping eq 0) && ($perror eq 0)) {
$cookie = $query->cookie(-name=>'SMPF',
-value=>'1',
-expires=>'+15s',
-path=>'/');
print $query->redirect(
-cookie => $cookie,
-uri => "$redirectURL");
print $query->start_html(
-title=>'Login');
print $query->end_html;
}
else {
$cookie = $query->cookie(-name=>'SMPF',
-value=>'',
-expires=>'now',
-path=>'/');
print $query->header(-cookie=>$cookie);
print $query->meta('');
print $query->start_html('Login');
print $query->body("<big><big><b>Redirect loop!</b></big></big><b
+r><br> You have been assigned a SESSION-cookie, as confirmation that
+you have successfully logged in. For some reason the login-servers wh
+o needs this cookie is not getting it from your browser, causing a lo
+op of redirection. Please try to go back to the site you want to logi
+n to and try again. <b>You should not need to enter your credentials
+again</b>. If this error is reoccurring for you, try using a differen
+t browser.");
print $query->end_html;
}