ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

IWA page is getting flashed in between when changing plan numbers on Statements page


Article ID: 221717


Updated On:


SITEMINDER CA Single Sign On Agents (SiteMinder)


One of the application teams is migrating the Internal application to Siteminder R12.8 policy servers.  While testing the application functionality, clicking a link that results in a POST request resulted in users seeing a page with message:

Redirecting to complete authentication

This interim page is used by SiteMinder to redirect you through the logon process while maintaining your POST data. You will be forwarded to continue the authentication and authorization process and retain the POST parameters.



The POST request was being made via http (not https), but the session cookie had the /secure flag, so the session cookie was not presented on the POST request and thus the user was challenged for authentication. 

The 'Redirecting to complete authentication' page is always called when a user is redirected for authentication upon POST request when post preservation is enabled, however, in most instances the authentication completes quickly enough that the users never actually see the post preservation page, and the design of the application in question also has frequent GET requests between POST requests such that a timed-out session is usually encountered during a GET rather than POST request, further decreasing the chances that a user ever sees the post preservation page during a POST request.

This functionality is the same in all supported releases of Siteminder, so the behavior was not related to the customer's 12.8 migration.


Release : All

Component : Web Agent


Since this protected application does not force HTTPS and allows HTTP, the UseSecureCookies Agent Configuration Object parameter should be set to No.

Additional Information

This was an internal-only application and thus why HTTP access is allowed.  In most production environments, protected applications may only be accessed via HTTPS, and in such cases, the UseSecureCookies=Yes setting is recommended.