Customer has impletmented a new Federation Partnership in which they are the IDP.  After authenticating, users are looping between the saml2sso URL and the Authentication URL.

The web agent hosting the login form had LegacyVariables=Yes, and this resulted in no SMSERVESESSIONID header when the request reached saml2sso, causing /affwebservices to reject the session cookie.  Saml2sso requires this header in order to validate a session cookie, so agents authenticating federation users should have this parameter set to No when the ACO for /affwebservices is also set to no.

Release : All

Component : SITEMINDER FEDERATION SECURITY SERVICES

Assure the ACO parameters affecting header variables, such as LegacyVariables, are set the same on all agents in an SSO environment.