When running 2 Policy Servers (A and B) and when user login in a
persistent realm in environment A, when it tries to reach a non
persistent realm in environment B, he's challenged again.
The Policy Server in environment B reports :
[CSm_Auth_Message::SendReply][** Status: Not Validated. Failed to update persistent session in Session Services]
User session should be accepted without having to challenge again.
Note that if both environments realms are non persistent, then user
doesn't get challenged again.
Policy Server 12.8SP3 on RedHat 6;
Policy Server 12.52SP1 on RedHat 6;
At first glance, the flow works as designed, as the SMSESSION cookie
has a SessionSpec data which includes if the Session is persistent or
not (1).
In this specific use case, the SessionSpec SessionPersistent data
is set, then, when validating the session, the Policy Server from
envrionment B tries to find the data in a Session Store, and as it
cannot find the data in a Session Store, it reports the error.
In order to get SSO, realms should be the same type, and not
a mixture of persistent and not persistent.
when realms are persistents, Session Store should be shared between
the environments, in order for each of them to find the Session that
bring the SMSESSION and to be able to validate it without having to
ask for credentials. Both environments should share the same Session
Store.
(1)
What information is stored in the SMSESSION Cookie
SESSIONSPEC can only be decrypted by Policy server. It contains
following information :
SessionPersistent
https://knowledge.broadcom.com/external/article?articleId=45705