User can Authenticate at IDP, but Instead of Assertion Generated, User is Rechallenged

book

Article ID: 197491

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

Users are able to successfully authenticate at the IDP, however, the Web Agent Option Pack is not accepting the session.  The error in the FWSTrace.log is:
Request doesn't contain session ID header. Session cookie[SMSESSION]is not valid.

Cause

When Web Agent and Web Agent Option Pack are on separate hosts, they need to be put in Proxy Mode, else the Option Pack will not effectively trust the sessions the Web Agent creates.

Environment

Release : ALL

Component : SITEMINDER - FEDERATION

Resolution

Since Web Agent and Web Agent Option Pack are on separate hosts, set ProxyAgent=yes on Web Agent ACO, and ProxyTrust=yes on Web Agent Option Pack ACO to put both in Proxy Mode..