Test user is entering valid credentials and should be authorized for the application, but they are returned to the login screen.

Release : ALL

Studying a browser trace showed that a SMSESSION cookie was being set upon the user posting credentials to the .fcc page and the user was redirected to the protected application.  When requesting the protected application, however, the browser was not presenting the session cookie that was set in the previous request.  It appeared as though the browser was not accepting the cookie.  This affected Edge and Chrome, but not Mozilla.

This was occurring because the SameSite=none cookie attribute was being set on the SMSESSION cookie, but the /secure attribute was not being set.  

Updating the web agent Agent Configuration Object (ACO) to include UseSecureCookies=yes allowed the browser to accept the session cookie and present it on the next request.  This allowed the test user to access the application successfully.

Similar symptoms will occur when UseSecureCookies=yes and the protected URL is accessed via http rather than https.  In this instance the browser accepts the cookie, but will not present the cookie over an http connection, thus by the default the user would be rechallenged for authentication.  To resolve this the protected application should either be accessed via https (preferred) or set UseSecureCookies=no.