CA Single Sign On Secure Proxy Server (SiteMinder)AXIOMATICS POLICY SERVERCA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
We're running IdP and SP on different machines but with the same Domain Name. We segregate the cookies using SSOZoneName ACO parameter. Once the SP session terminates, both IDP SMSESSION and SP MY_SESSION cookies gets the value of LOGGEDOFF. The SP MY_SESSION cookie gets removed from the browser. But the SMSESSION cookie doesn't.
As the SMSESSION cookie reaches the IDP Web Agent Option Pack, the transaction fails and the IDP Web Agent Option Pack reports not to be able to decode the SMSESSION cookie.
[04/05/2019][14:30:09][ff2b8c68-4af83a86-98aa3999- 3e7b55c0-64f7c1f9-b6b][FWSBase.java][isValidSession][Trying to validate using SMSESSION cookie.]
[04/05/2019][14:30:09][ff2b8c68-4af83a86-98aa3999- 3e7b55c0-64f7c1f9-b6b][FWSBase.java][isValidSession][Could not decryptSMSESSION cookie. Error message: Tried out all the decrypt keys, decryption failed..]
How can we fix that ?
The problem is that the SMSESSION=LOGGEDOFF cookie reaches the Web Agent Option Pack at IDP side and that there's no Web Agent to handle this SMSESSION=LOGGEDOFF and to remove it from the browser. The Web Agent only handle the MY_ cookie. It's configured with SSOZoneName=MY_. More, out of the box, the Web Agent Option Pack doesn't remove any cookies from the browser. The aftermath is that the SMSESSION=LOGGEDOFF arrives to the IDP Web Agent Option Pack and this one cannot handle the value LOGGEDOFF.
The IDP Web Agent Option Pack is configured to trust SM and MY_ cookies :
[246584/148340][Thu Apr 04 2019 16:53:35][FWSAgentConfig.java][INFO][sm-FedClient-00190] SSOZoneName not specified. Using default: SM
The MY_SESSION is expired, get logged out, and removed from the browser by the Web Agent :
[04/05/2019][14:30:03][CSmHttpPlugin.cpp:6768] [CSmHttpPlugin::ProcessSessionCookie][00000000000000000000000046 ad2ea0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][myagent] [/affwebservices/public/saml2sso?SPID=mysp][MY_SESSION cookie has expired and will not be used to authenticate.]
[04/05/2019][14:30:03][CSmHttpPlugin.cpp:2228] [CSmHttpPlugin::EstablishSession][00000000000000000000000046ad2e a0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][myagent] [/affwebservices/public/saml2sso?SPID=mysp][Unable to process MY_SESSION cookie.]
but as the Web Agent is configured to handle the MY_ session cookie, then the SMSESSION cookie never gets removed from the browser. The IDP Web Agent Option Pack then is unable to decode the SMSESSION value and the transaction fails. User doesn't get redirected to the login page.
If you replay the issue, and at time you get the problem, you go in the memory of the browser and you remove the SMSESSION=LOGGEDOFF cookie, then you will be in the flow again.
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP Component:
Use 2 different Web Agents having different ACO's and different SSOZoneName values to solve the issue.
You might also customize the Apache Server to remove the SMSESSION=LOGGEDOFF cookie from the browser.