search cancel

smsession cookie attribute SAMESITE was set as "strict".

book

Article ID: 240929

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

In a single sign-on setup, there are multiple regular web agents involved.

When login to one application, noticed smsession cookie was setting SAMESITE as "strict". 

Once that happens, then user could not SSO into other report application, user gets authentication login prompt.

Customer thinks this is the cause of single sign-on failure.

Even though we have verified both side standard agents do not have SAMESITE feature enabled.

And the two applications are in the same cookie domain.

Cause

During troubleshooting, turning on SAMESITE feature on ACO, and deliberately set it to none, has no effect on the SAMESITE result value.

In browser testing, still noticed smsession cookie was setting SAMESITE as "strict" almost instantly.

Environment

Release : 12.8.05

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

Customer failed to disclose that one of the agent is integrated with layer 7 API gateway.
The culprit for SAMESITE="strict" is layer 7 API agent configuration.
It has the capability to set SAMESITE "strict" on the fly,  it can also alter ACO UseHTTPOnlyCookies parameter to yes.
 
However, after corrected SAMESITE configuration on layer 7 API agent side, the issue was not resolved. We also disabled regular agent ACO for SAMESITE.
smsession cookie attribute SAMESITE did not cause the single sign-on failure.
 
The true cause is that regular agent will NOT accept (SDK) custom agent's cookie, unless ACO AcceptTPCookie is set to Yes on the regular agent.
Layer 7 API gateway is considered a custom agent.
In the end, Setting ACO AcceptTPCookie=Yes on the regular agent resolved the issue.