Customer has implemented a new Federation Partnership in which they are the IDP. After authenticating, users are looping between the saml2sso URL and the Authentication URL.
Release : All
Component : SITEMINDER FEDERATION SECURITY SERVICES
The web agent hosting the login form had LegacyVariables=Yes, and this resulted in no SMSERVESESSIONID header when the request reached saml2sso, causing /affwebservices to reject the session cookie. Saml2sso requires this header in order to validate a session cookie, so agents authenticating federation users should have this parameter set to No when the ACO for /affwebservices is also set to no.
Assure the ACO parameters affecting header variables, such as LegacyVariables, are set the same on all agents in an SSO environment.