How can I trust that the SiteMinder HTTP headers haven't been tampered with?

Question

I am completely new to SiteMinder and SSO in general. I poked around on SO and CA\'s web site all afternoon for a basic example and can\'t find one. I don\'t care about setting

Answer 1

Typical enterprise architecture will be Webserver (Siteminder Agent) + AppServer (Applications)

Say IP filtering is not enabled, and webs requests are allowed directly to AppServer, bypassing webserver and the sso-agent.

If applications have to implement a solution to assert the request headers / cookies are not tampered / injected, do we have any solution simillar to the following?

• Send the SM_USERID encrypted in a seperate cookie or encrypted (Sym/Asym) along with SMSESSION id
• Application will use the key to decrypt the SMSESSION or SM_USERID to retrive the user id, session expiry status and any other addtional details and authorization details if applicable.
• Application now trusts the user_id and do authentication