When running 3 Web Agents and when a user accesses a page having iframe which gets the page from another Web Agent and different domain, then the SMSESSION cookie is not sent to that Web Agent and the page is sent back to the cookie provider.
The flow scenario is as follows:
Configuration :
Cookie provider URL = http://wa.example.com/smmakecookie.ccc
Cookie provider cookie domain = .example.com
Cookie provider samesite value = none
Application 1 URL = http://mywa.example.org/index.html
Application 1 cookie domain = .example.org
Application 1 cookie provider URL = http://wa.example.com/smmakecookie.ccc
Application 1 samesite value = nothing set, so the browser takes it as LAX
Application 2 URL = http://mywa.example.net/index.html
Application 2 cookie domain = .example.net
Applicaiton 2 cookie provider URL = http://wa.example.com/smmakecookie.ccc
Application 2 samesite value = nothing set, so the browser takes it as LAX
3 Web Agents 12.52SP1CR10 with SameSite patches 64bit on Apache 2.4 64bit on RedHat 6;
Policy server 12.8SP3 on RedHat6;
The use case involves 2 of the use cases described from the documentation (1):
As such, apply the samesite fix on the 3 Web Agents.
The following iframe code on the page will make the use case working with Internet Explorer and using HTML Form Authentication Scheme.
The target page served by app 1 mywa.example.org:
<!DOCTYPE html>
<html>
<body>
<h1>The iframe element</h1>
This is test page
<form action="action" method="post" target="output_frame">
<!-- input elements here -->
</form>
<iframe name="output_frame" src="http://mywa.example.net/home/index.html" id="output_frame">
</iframe>
</body>
</html>
The http://mywa.example.net/home/index.html resource has this code:
<html>home</html>
Configure the first the Cookie Provider and both Web Agent that way:
wa.example.com (cookie provider) :
[6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomain='.example.com'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomainscope='0'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] enablecookieprovider='yes'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] limitcookieprovider='no'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] trackcpsessiondomain='yes'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] tracksessiondomain='no'.
mywa.example.org (app 1)
[5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomain=''.
[5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomainscope='0'.
[5505/2828023552][Fri Jul 10 2020 10:48:12] cookieprovider='http://wa.example.com/smmakecookie.ccc'.
[5505/2828023552][Fri Jul 10 2020 10:48:12] enablecookieprovider='no'.
[5505/2828023552][Fri Jul 10 2020 10:48:12] limitcookieprovider='no'.
[5505/2828023552][Fri Jul 10 2020 10:48:12] tracksessiondomain='no'.
mywa.example.net (app 2 embedded iframe in mywa.example.org)
[5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomain=''.
[5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomainscope='0'.
[5512/991487744][Fri Jul 10 2020 10:48:47] cookieprovider='http://wa.example.com/smmakecookie.ccc'.
[5512/991487744][Fri Jul 10 2020 10:48:47] enablecookieprovider='no'.
[5512/991487744][Fri Jul 10 2020 10:48:47] limitcookieprovider='no'.
[5512/991487744][Fri Jul 10 2020 10:48:47] tracksessiondomain='no'.
With iexplore (Internet explorer) it works, as the browser needs to log in only once at mywa.example.org and get embedded mywa.example.net.
With chrome (Google Chrome) it doesn't work, as the browser needs to log in at mywa.example.org and the browser is asked again to login at mywa.example.net.
After trying to reach mywa.example.net, the browser gets redirected to the Cookie Provider.
The cookie for the Cookie provider isn't sent, so the Cookie Provider cannot create one for mywa.example.net.
Changing the configuration on the Cookie Provider to use the ACO parameter from the Samesite enhancement:
wa.example.com (cookie provider):
[6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomain='.example.com'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomainscope='0'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] enablecookieprovider='yes'.
[6054/3339433728][Fri Jul 10 2020 11:09:59] getcpcookie='yes'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] limitcookieprovider='no'.
[6054/3339433728][Fri Jul 10 2020 11:09:59] samesite='None'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] trackcpsessiondomain='yes'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] tracksessiondomain='no'.
Now, with chrome (Google Chrome) it doesn't work as the user needs to log in only once at mywa.example.org and then the resource from mywa.example.net doesn't show up.
In fiddler traces, after trying to reach mywa.example.net, the browser gets redirected the cookie for the Cookie provider.
But this time a cookie is sent to example.net domain, but the Agent from example.net goes back to the Cookie Provider in a loop because the Cookie Provider doesn't receive the expected cookie.
The browser shows then the following error:
wa.example.com redirected you too many times.
Finally, keeping the Cookie Provider with the same configuration and adding the Samesite ACO for both the other Web Agents:
wa.example.com (cookie provider) :
[6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomain='.example.com'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomainscope='0'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] enablecookieprovider='yes'.
[6054/3339433728][Fri Jul 10 2020 11:09:59] getcpcookie='yes'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] limitcookieprovider='no'.
[6054/3339433728][Fri Jul 10 2020 11:09:59] samesite='None'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] trackcpsessiondomain='yes'.
[6054/3339433728][Fri Jul 10 2020 10:55:21] tracksessiondomain='no'.
mywa.example.org (app 1)
[5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomain=''.
[5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomainscope='0'.
[5505/2828023552][Fri Jul 10 2020 10:48:12] cookieprovider='http://wa.example.com/smmakecookie.ccc'.
[5505/2828023552][Fri Jul 10 2020 10:48:12] enablecookieprovider='no'.
[5505/2828023552][Fri Jul 10 2020 10:48:12] limitcookieprovider='no'.
[5505/2828023552][Fri Jul 10 2020 11:09:59] samesite='None'.
[5505/2828023552][Fri Jul 10 2020 10:48:12] tracksessiondomain='no'.
mywa.example.net (app 2 embedded iframe in mywa.example.org)
[5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomain=''.
[5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomainscope='0'.
[5512/991487744][Fri Jul 10 2020 10:48:47] cookieprovider='http://wa.example.com/smmakecookie.ccc'.
[5512/991487744][Fri Jul 10 2020 10:48:47] enablecookieprovider='no'.
[5512/991487744][Fri Jul 10 2020 10:48:47] limitcookieprovider='no'.
[5512/991487744][Fri Jul 10 2020 11:09:59] samesite='None'.
[5512/991487744][Fri Jul 10 2020 10:48:47] tracksessiondomain='no'.
Then the use case works as expected. Log in only once at mywa.example.org, and the iframe embedded page at example.net gets its expected cookie and shows up in the example.org:
http://mywa.example.org/home/index.html
The iframe element
This is test page
+------+
| home |
| |
| |
+------+