SAC Web Application using a form based login page.

Users submit credentials correctly but are immediately redirected to the login page.

Users continuously looping on Application login page when using SAC.

No issues seen when going direct to the Web Application.

Firewall (Fortigate) exists between SAC connector and internal Web Application.

SAC.

Web application with form based login page.

Session cookie set after validating the credentials includes the Web server internal domain, and not the external SAC one.

When troubleshooting such issues, it is always good practice to get a HAR file when going DIRECT and via the SAC service on the workstation.

The HAR file clearly showed that after POSTing the user credentials to the back end service, the subsequent session cookie set was for the internal domains:

// User POSTs credentials to the SAC published DNS name at ext-app.bcom.luminatesec.com

POST https://ext-app.bcom.luminatesec.com/CliniSys/login HTTP/2
Host: ext-app.bcom.luminatesec.com
 

// Set-cookie returned should be for bcom.luminatesec.com but is for the internal domain domain.com!

HTTP/2 200 OK
date: Tue, 16 May 2023 11:57:37 GMT
content-type: text/html;charset=ISO-8859-1
content-length: 36
strict-transport-security: max-age=31536000
expires: 0
cache-control: no-cache, no-store, max-age=0, must-revalidate
set-cookie: x-auth-token=332cbe53-f870-4b5e-a2fb-2fd8842448d1; Domain=domain.com; Path=/; HttpOnly
x-xss-protection: 1; mode=block
pragma: no-cache

The SAC solution, in it's most basic form, will always rewrite domains but failed to do so for this Application. Identifying what was different with this Application and basic use cases i.e. the Fortigate firewall inspecting traffic, helped identify root cause and fix the issue.