User can Authenticate at IDP, but Instead of Assertion Generated, User is Rechallenged

Article Id: 197491

Status: Published

Updated On: 17-08-2020 16:59

Products:

CA Single Sign On Agents (SiteMinder) , CA Single Sign On Federation (SiteMinder) , SITEMINDER

Issue/Introduction:

Users are able to successfully authenticate at the IDP, however, the Web Agent Option Pack is not accepting the session. The error in the FWSTrace.log is:
Request doesn't contain session ID header. Session cookie[SMSESSION]is not valid.

Cause:

When Web Agent and Web Agent Option Pack are on separate hosts, they need to be put in Proxy Mode, else the Option Pack will not effectively trust the sessions the Web Agent creates.

Environment:

Release : ALL

Component : SITEMINDER - FEDERATION

Resolution:

Since Web Agent and Web Agent Option Pack are on separate hosts, set ProxyAgent=yes on Web Agent ACO, and ProxyTrust=yes on Web Agent Option Pack ACO to put both in Proxy Mode..