We're running a Web Agent Option Pack and when a user tries to reach
the SP side after IDP authentication, the browser gets error 500 and
the Federation Service reports :
[05/01/2020][11:53:51][18675][3560912640][6f3d5b0e-9f7101d1-bead3e79-f5cdfd7
7-44451s2-2ba][FWSBase.java][createSessionCookie][Placing smsession in brow
ser [CHECKPOINT = SSO_PLACESMSSESSIONTOBROWSER_REQ]]
[05/01/2020][11:53:51][18675][3560912640][6f3d5b0e-9f7101d1-bead3e79-f5cdfd7
7-44451s2-2ba][FWSBase.java][createSessionCookie][Transaction with ID: 6f3d
5b0e-9f7101d1-bead3e79-f5cdfd77-44451s2-2ba failed. Reason: FWSB_SESSION_CO
OKIE_CREATION_ERROR]
[05/01/2020][11:53:51][18675][3560912640][6f3d5b0e-9f7101d1-bead3e79-f5cdfd7
7-44451s2-2ba][FWSBase.java][createSessionCookie][Exception occured
during SESSION cookie creation. Exception: An invalid domain
[.mydomain.local] was speci fied for this cookie]
[05/01/2020][11:53:51][18675][3560912640][6f3d5b0e-9f7101d1-bead3e79-f5cdfd7
7-44451s2-2ba][FWSBase.java][createSessionCookie][Ending the
request proces sing with the HTTP response code: 500]
How can we fix that ?
More, we see 2 SMSESSION cookies created with 2 different domains. The
Web Agent Option Pack create one with domain
"Domain=.mymachine.mysubsubdomain.mysubdomain.mydomain.com"
which doesn't make sense because it is a machine name, not a domain,
but still the cookie will only be used with that machine, and the Web
Agent create another one with
"domain=.mysubdomain.mydomain.com"
How can we fix both behavior ? Are they related ?
Web Agent Option Pack on Tomcat 9.0.36 on RedHat 7;
Web Agent 12.52SP1CR09 on IIS 10 on Windows 2016;
Policy Server 12.8SP3 on Windows 2016;
Both issues aren't related. You need to think that Web Agent Option
Pack and Web Agent aren't sharing the same ACO parameters, and the
embedded Agent in the Web Agent Option Pack has very limited list of
ACO available :
Web Agent Option Pack :: ACO : Full List
https://knowledge.broadcom.com/external/article?articleId=49319
As such, Web Agent Option Pack is not designed to run as a Backend Web
Agent which is proxied by another Web Agent. In your setting the Web
Agent running on IIS 10 is a ARR proxy to the backend Web Agent Option
Pack.
So said, to fix the issue "Exception: An invalid domain", configure
the LegacyCookieProcessor feature on Tomcat Server according to
recommendations here :
Legacy Federation Troubleshooting
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/troubleshooting/legacy-federation-troubleshooting.html
You can also fix the cookie domain which haven't the same domain by
configuring ARR on IIS with the following rules :
<proxy enabled="true" reverseRewriteHostInResponseHeaders="false" />